From: Oliver Neukum Date: Thu, 12 Feb 2009 12:17:52 +0000 (+0100) Subject: HID: fix race between usb_register_dev() and hiddev_open() X-Git-Url: http://pilppa.com/gitweb/?a=commitdiff_plain;h=e43bd67d721bccbfe144c0b586b0ab3a2a157968;p=linux-2.6-omap-h63xx.git HID: fix race between usb_register_dev() and hiddev_open() upon further thought this code is still racy. retval = usb_register_dev(usbhid->intf, &hiddev_class); here you open a window during which open can happen if (retval) { err_hid("Not able to get a minor for this device."); hid->hiddev = NULL; kfree(hiddev); return -1; } else { hid->minor = usbhid->intf->minor; hiddev_table[usbhid->intf->minor - HIDDEV_MINOR_BASE] = hiddev; and will fail because hiddev_table hasn't been updated The obvious fix of using a mutex to guard hiddev_table doesn't work because usb_open() and usb_register_dev() take minor_rwsem and we'd have an AB-BA deadlock. We need a lock usb_open() also takes in the right order and that leaves only one option, BKL. I don't like it but I see no alternative. Once the usb_open() implements something better than lock_kernel(), we could also do so. Signed-off-by: Oliver Neukum Signed-off-by: Jiri Kosina --- diff --git a/drivers/hid/usbhid/hiddev.c b/drivers/hid/usbhid/hiddev.c index aa214170baf..93dcb7e2910 100644 --- a/drivers/hid/usbhid/hiddev.c +++ b/drivers/hid/usbhid/hiddev.c @@ -875,16 +875,21 @@ int hiddev_connect(struct hid_device *hid, unsigned int force) hiddev->hid = hid; hiddev->exist = 1; + /* when lock_kernel() usage is fixed in usb_open(), + * we could also fix it here */ + lock_kernel(); retval = usb_register_dev(usbhid->intf, &hiddev_class); if (retval) { err_hid("Not able to get a minor for this device."); hid->hiddev = NULL; + unlock_kernel(); kfree(hiddev); return -1; } else { hid->minor = usbhid->intf->minor; hiddev_table[usbhid->intf->minor - HIDDEV_MINOR_BASE] = hiddev; } + unlock_kernel(); return 0; }