summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntonio Ospite <ospite@studenti.unina.it>2010-10-05 17:20:17 +0200
committerJiri Kosina <jkosina@suse.cz>2010-10-06 11:30:34 +0200
commite42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 (patch)
tree98ddb05e7f8eb8420ad376d3c8ef8f2a993659ea
parentHID: hidraw, fix a NULL pointer dereference in hidraw_ioctl (diff)
downloadlinux-e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6.tar.xz
linux-e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6.zip
HID: hidraw, fix a NULL pointer dereference in hidraw_write
BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [<ffffffffa0f0a625>] hidraw_write+0x3b/0x116 [hid] [...] This is reproducible by disconnecting the device while userspace writes to dev node in a loop and doesn't check return values in order to exit the loop. Signed-off-by: Antonio Ospite <ospite@studenti.unina.it> Cc: stable@kernel.org Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-rw-r--r--drivers/hid/hidraw.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index 9eaf6ae5f97f..a3866b5c0c43 100644
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -109,6 +109,12 @@ static ssize_t hidraw_write(struct file *file, const char __user *buffer, size_t
int ret = 0;
mutex_lock(&minors_lock);
+
+ if (!hidraw_table[minor]) {
+ ret = -ENODEV;
+ goto out;
+ }
+
dev = hidraw_table[minor]->hid;
if (!dev->hid_output_raw_report) {