lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 21 Oct 2013 09:46:28 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	linux-kernel@...r.kernel.org, stable@...r.kernel.org
CC:	akpm@...ux-foundation.org, "Jiri Kosina" <jkosina@...e.cz>
Subject: [PATCH 3.2 017/149] HID: hidraw: put old deallocation mechanism
 in place

3.2.52-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Jiri Kosina <jkosina@...e.cz>

commit df0cfd6990347c20ae031f3f34137cba274f1972 upstream.

This basically reverts commit 4fe9f8e203fda. It causes multiple problems,
namely:

- after rmmod/modprobe cycle of bus driver, the input is not claimed any
  more. This is likely because of misplaced hid_hw_close()
- it causes memory corruption on hidraw_list

As original patch author is not responding to requests to fix his patch,
and the original deallocation mechanism is not exposing any problems, I
am reverting back to it.

Signed-off-by: Jiri Kosina <jkosina@...e.cz>
Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
---
 drivers/hid/hidraw.c | 69 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 43 insertions(+), 26 deletions(-)

--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -42,7 +42,6 @@ static struct cdev hidraw_cdev;
 static struct class *hidraw_class;
 static struct hidraw *hidraw_table[HIDRAW_MAX_DEVICES];
 static DEFINE_MUTEX(minors_lock);
-static void drop_ref(struct hidraw *hid, int exists_bit);
 
 static ssize_t hidraw_read(struct file *file, char __user *buffer, size_t count, loff_t *ppos)
 {
@@ -114,7 +113,7 @@ static ssize_t hidraw_send_report(struct
 	__u8 *buf;
 	int ret = 0;
 
-	if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+	if (!hidraw_table[minor]) {
 		ret = -ENODEV;
 		goto out;
 	}
@@ -262,7 +261,7 @@ static int hidraw_open(struct inode *ino
 	}
 
 	mutex_lock(&minors_lock);
-	if (!hidraw_table[minor] || !hidraw_table[minor]->exist) {
+	if (!hidraw_table[minor]) {
 		err = -ENODEV;
 		goto out_unlock;
 	}
@@ -299,12 +298,36 @@ out:
 static int hidraw_release(struct inode * inode, struct file * file)
 {
 	unsigned int minor = iminor(inode);
+	struct hidraw *dev;
 	struct hidraw_list *list = file->private_data;
+	int ret;
+	int i;
+
+	mutex_lock(&minors_lock);
+	if (!hidraw_table[minor]) {
+		ret = -ENODEV;
+		goto unlock;
+	}
 
-	drop_ref(hidraw_table[minor], 0);
 	list_del(&list->node);
+	dev = hidraw_table[minor];
+	if (!--dev->open) {
+		if (list->hidraw->exist) {
+			hid_hw_power(dev->hid, PM_HINT_NORMAL);
+			hid_hw_close(dev->hid);
+		} else {
+			kfree(list->hidraw);
+		}
+	}
+
+	for (i = 0; i < HIDRAW_BUFFER_SIZE; ++i)
+		kfree(list->buffer[i].value);
 	kfree(list);
-	return 0;
+	ret = 0;
+unlock:
+	mutex_unlock(&minors_lock);
+
+	return ret;
 }
 
 static long hidraw_ioctl(struct file *file, unsigned int cmd,
@@ -506,7 +529,21 @@ EXPORT_SYMBOL_GPL(hidraw_connect);
 void hidraw_disconnect(struct hid_device *hid)
 {
 	struct hidraw *hidraw = hid->hidraw;
-	drop_ref(hidraw, 1);
+
+	mutex_lock(&minors_lock);
+	hidraw->exist = 0;
+
+	device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
+
+	hidraw_table[hidraw->minor] = NULL;
+
+	if (hidraw->open) {
+		hid_hw_close(hid);
+		wake_up_interruptible(&hidraw->wait);
+	} else {
+		kfree(hidraw);
+	}
+	mutex_unlock(&minors_lock);
 }
 EXPORT_SYMBOL_GPL(hidraw_disconnect);
 
@@ -555,23 +592,3 @@ void hidraw_exit(void)
 	unregister_chrdev_region(dev_id, HIDRAW_MAX_DEVICES);
 
 }
-
-static void drop_ref(struct hidraw *hidraw, int exists_bit)
-{
-	mutex_lock(&minors_lock);
-	if (exists_bit) {
-		hid_hw_close(hidraw->hid);
-		hidraw->exist = 0;
-		if (hidraw->open)
-			wake_up_interruptible(&hidraw->wait);
-	} else {
-		--hidraw->open;
-	}
-
-	if (!hidraw->open && !hidraw->exist) {
-		device_destroy(hidraw_class, MKDEV(hidraw_major, hidraw->minor));
-		hidraw_table[hidraw->minor] = NULL;
-		kfree(hidraw);
-	}
-	mutex_unlock(&minors_lock);
-}

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ