HID: hiddev: fix potential use-after-free

Commit 6cb4b040 ("HID: hiddev: fix race between hiddev_disconnect and hiddev_release") made it possible to access hiddev (for unlocking the existance mutex) once hiddev has been kfreed. Change the order so that this can not happen (always unlock the mutex first, it is needed only to protect access to ->exist and ->open). Signed-off-by: N Jiri Kosina <jkosina@suse.cz>

HID: hiddev: fix potential use-after-free
Commit 6cb4b040 ("HID: hiddev: fix race between hiddev_disconnect and hiddev_release") made it possible to access hiddev (for unlocking the existance mutex) once hiddev has been kfreed. Change the order so that this can not happen (always unlock the mutex first, it is needed only to protect access to ->exist and ->open). Signed-off-by: N Jiri Kosina <jkosina@suse.cz>
7f77897e · Jiri Kosina · d762f438 · 7f77897e
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/hid/usbhid/hiddev.c drivers/hid/usbhid/hiddev.c +2 -1

未找到文件。
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -923,10 +923,11 @@ void hiddev_disconnect(struct hid_device *hid)
 	usb_deregister_dev(usbhid->intf, &hiddev_class);
 	if (hiddev->open) {
+		mutex_unlock(&hiddev->existancelock);
 		usbhid_close(hiddev->hid);
 		wake_up_interruptible(&hiddev->wait);
 	} else {
+		mutex_unlock(&hiddev->existancelock);
 		kfree(hiddev);
 	}
-	mutex_unlock(&hiddev->existancelock);
 }