HID: hiddev: fix potential use-after-free

Commit 6cb4b040795 ("HID: hiddev: fix race between hiddev_disconnect and hiddev_release") made it possible to access hiddev (for unlocking the existance mutex) once hiddev has been kfreed. Change the order so that this can not happen (always unlock the mutex first, it is needed only to protect access to ->exist and ->open). Signed-off-by: Jiri Kosina <jkosina@suse.cz>
author: Jiri Kosina <jkosina@suse.cz> 2011-05-24 09:43:18 (GMT)
committer: Jiri Kosina <jkosina@suse.cz> 2011-05-24 09:43:18 (GMT)
commit: 7f77897ef2b6a5ee4eb8bc24fe8b1f3eab254328 (patch)
tree: 024098e2025c2fbbd3b0a2edf70711ffef76f9b8 /drivers/hid/usbhid
parent: d762f4383100c2a87b1a3f2d678cd3b5425655b4 (diff)
download: linux-fsl-qoriq-7f77897ef2b6a5ee4eb8bc24fe8b1f3eab254328.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c
index ff3c644..4985f485 100644
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -923,10 +923,11 @@ void hiddev_disconnect(struct hid_device *hid)
 	usb_deregister_dev(usbhid->intf, &hiddev_class);
 
 	if (hiddev->open) {
+		mutex_unlock(&hiddev->existancelock);
 		usbhid_close(hiddev->hid);
 		wake_up_interruptible(&hiddev->wait);
 	} else {
+		mutex_unlock(&hiddev->existancelock);
 		kfree(hiddev);
 	}
-	mutex_unlock(&hiddev->existancelock);
 }
author	Jiri Kosina <jkosina@suse.cz>	2011-05-24 09:43:18 (GMT)
committer	Jiri Kosina <jkosina@suse.cz>	2011-05-24 09:43:18 (GMT)
commit	7f77897ef2b6a5ee4eb8bc24fe8b1f3eab254328 (patch)
tree	024098e2025c2fbbd3b0a2edf70711ffef76f9b8 /drivers/hid/usbhid
parent	d762f4383100c2a87b1a3f2d678cd3b5425655b4 (diff)
download	linux-fsl-qoriq-7f77897ef2b6a5ee4eb8bc24fe8b1f3eab254328.tar.xz