2011-02-15 14:41:11

by Benjamin Tissoires

[permalink] [raw]
Subject: [PATCH] hidinput: kernel oops in out_cleanup in function hidinput_connect

Goto out_cleanup infers a kernel oops: hidinput_disconnect calls
input_unregister_driver to all members of hid->inputs.
However, hidinput already has been added to hid->inputs even
though input_register_device was not called.

Signed-off-by: Benjamin Tissoires <[email protected]>
---
Hi,

while playing with hidinput_connect, I found this bug.

Cheers,
Benjamin

drivers/hid/hid-input.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 7f552bf..f53911d 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -928,6 +928,7 @@ int hidinput_connect(struct hid_device *hid, unsigned int force)
return 0;

out_cleanup:
+ list_del(&hidinput->list);
input_free_device(hidinput->input);
kfree(hidinput);
out_unwind:
--
1.7.4


2011-02-15 16:46:30

by Dmitry Torokhov

[permalink] [raw]
Subject: Re: [PATCH] hidinput: kernel oops in out_cleanup in function hidinput_connect

On Tue, Feb 15, 2011 at 03:41:10PM +0100, Benjamin Tissoires wrote:
> Goto out_cleanup infers a kernel oops: hidinput_disconnect calls
> input_unregister_driver to all members of hid->inputs.
> However, hidinput already has been added to hid->inputs even
> though input_register_device was not called.
>
> Signed-off-by: Benjamin Tissoires <[email protected]>

Yep, well spotted.

Reviewed-by: Dmitry Torokhov <[email protected]>

> ---
> Hi,
>
> while playing with hidinput_connect, I found this bug.
>
> Cheers,
> Benjamin
>
> drivers/hid/hid-input.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
> index 7f552bf..f53911d 100644
> --- a/drivers/hid/hid-input.c
> +++ b/drivers/hid/hid-input.c
> @@ -928,6 +928,7 @@ int hidinput_connect(struct hid_device *hid, unsigned int force)
> return 0;
>
> out_cleanup:
> + list_del(&hidinput->list);
> input_free_device(hidinput->input);
> kfree(hidinput);
> out_unwind:
> --
> 1.7.4
>

--
Dmitry

2011-02-15 22:48:21

by Jiri Kosina

[permalink] [raw]
Subject: Re: [PATCH] hidinput: kernel oops in out_cleanup in function hidinput_connect

On Tue, 15 Feb 2011, Dmitry Torokhov wrote:

> > Goto out_cleanup infers a kernel oops: hidinput_disconnect calls
> > input_unregister_driver to all members of hid->inputs.
> > However, hidinput already has been added to hid->inputs even
> > though input_register_device was not called.
> >
> > Signed-off-by: Benjamin Tissoires <[email protected]>
>
> Yep, well spotted.
>
> Reviewed-by: Dmitry Torokhov <[email protected]>

Indeed, thanks a lot for spotting this Benjamin. Apparently this codepath
is not excercised too heavily (which is good :) ).

Applied.

--
Jiri Kosina
SUSE Labs, Novell Inc.