From 6d4472d7bec39917b54e4e80245784ea5d60ce49 Mon Sep 17 00:00:00 2001
From: Hillf Danton <hdanton@sina.com>
Date: Tue, 6 Aug 2019 16:40:15 +0800
Subject: [PATCH] HID: hiddev: do cleanup in failure of opening a device
Git-commit: 6d4472d7bec39917b54e4e80245784ea5d60ce49
Patch-mainline: v5.3-rc4
References: CVE-2019-19527 bsc#1158900 bsc#1051510
Undo what we did for opening before releasing the memory slice.
Reported-by: syzbot <syzbot+62a1e04fd3ec2abf099e@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Acked-by: Takashi Iwai <tiwai@suse.de>
---
drivers/hid/usbhid/hiddev.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/hid/usbhid/hiddev.c
+++ b/drivers/hid/usbhid/hiddev.c
@@ -321,6 +321,10 @@ static int hiddev_open(struct inode *ino
return 0;
bail_unlock:
mutex_unlock(&hiddev->existancelock);
+
+ spin_lock_irq(&list->hiddev->list_lock);
+ list_del(&list->node);
+ spin_unlock_irq(&list->hiddev->list_lock);
bail:
file->private_data = NULL;
vfree(list);