HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
[...]

This is reproducible by disconnecting the device while userspace does
ioctl in a loop and doesn't check return values in order to exit the
loop.

Signed-off-by: Antonio Ospite <[email protected]>
Cc: [email protected]
Signed-off-by: Jiri Kosina <[email protected]>

diff --git a/drivers/hid/hidraw.c b/drivers/hid/hidraw.c
index 47d70c523d93474a658bbaa5aa5b1cfb327f194b..9eaf6ae5f97faa8ec047c6546f02b306394052ef 100644 (file)
--- a/drivers/hid/hidraw.c
+++ b/drivers/hid/hidraw.c
@@ -244,6 +244,10 @@ static long hidraw_ioctl(struct file *file, unsigned int cmd,
 
        mutex_lock(&minors_lock);
        dev = hidraw_table[minor];
+       if (!dev) {
+               ret = -ENODEV;
+               goto out;
+       }
 
        switch (cmd) {
                case HIDIOCGRDESCSIZE:
@@ -317,6 +321,7 @@ static long hidraw_ioctl(struct file *file, unsigned int cmd,
 
                ret = -ENOTTY;
        }
+out:
        mutex_unlock(&minors_lock);
        return ret;
 }