[stable] Patch "HID: hidraw: fix window in hidraw_release" has been added to the 2.6.32-longterm tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    HID: hidraw: fix window in hidraw_release

to the 2.6.32-longterm tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.32.git;a=summary

The filename of the patch is:
     hid-hidraw-fix-window-in-hidraw_release.patch
and it can be found in the queue-2.6.32 subdirectory.

If you, or anyone else, feels it should not be added to the 2.6.32 longterm 
tree,
please let <sta...@kernel.org> know about it.


>From cb174681a9ececa6702f114b85bdf82144b6a5af Mon Sep 17 00:00:00 2001
From: Jiri Slaby <jsl...@suse.cz>
Date: Tue, 19 Oct 2010 11:29:55 +0200
Subject: HID: hidraw: fix window in hidraw_release

From: Jiri Slaby <jsl...@suse.cz>

commit cb174681a9ececa6702f114b85bdf82144b6a5af upstream.

[ Backport to .32.y by Antonio Ospite <osp...@studenti.unina.it> ]

There is a window between hidraw_table check and its dereference.
In that window, the device may be unplugged and removed form the
system and we will then dereference NULL.

Lock that place properly so that either we get NULL and jump out or we
can work with real pointer.

Signed-off-by: Jiri Slaby <jsl...@suse.cz>
Signed-off-by: Jiri Kosina <jkos...@suse.cz>
Signed-off-by: Antonio Ospite <osp...@studenti.unina.it>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 drivers/hid/hidraw.c |   11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -211,11 +211,14 @@ static int hidraw_release(struct inode *
        unsigned int minor = iminor(inode);
        struct hidraw *dev;
        struct hidraw_list *list = file->private_data;
+       int ret;
 
+       mutex_lock(&minors_lock);
        if (!hidraw_table[minor]) {
                printk(KERN_EMERG "hidraw device with minor %d doesn't exist\n",
                                minor);
-               return -ENODEV;
+               ret = -ENODEV;
+               goto unlock;
        }
 
        list_del(&list->node);
@@ -229,10 +232,12 @@ static int hidraw_release(struct inode *
                        kfree(list->hidraw);
                }
        }
-
        kfree(list);
+       ret = 0;
+unlock:
+       mutex_unlock(&minors_lock);
 
-       return 0;
+       return ret;
 }
 
 static long hidraw_ioctl(struct file *file, unsigned int cmd,


Patches currently in longterm-queue-2.6.32 which might be from jsl...@suse.cz 
are

_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable