aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuiz Fernando Capitulino <lcapitulino@mandriva.com.br>2006-05-11 21:34:17 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2006-05-12 14:58:09 -0400
commit704936a25bda9bb12e35bb222d5e3f26186dc279 (patch)
tree723b247a002e47be72d4ba203277870de0fea220
parent16c23f7d88cbcce491f9370b2846fad66e8ef319 (diff)
[PATCH] usbserial: Fixes use-after-free in serial_open().
If the device is disconnected while serial_open() is executing and either try_module_get() or the device specific open function fails, the kref_put() call in the 'bailout_kref_put' label will free the memory pointed out by 'port'. The subsequent dereferences in the 'bailout_kref_put' label will be invalid. The fix is just to assure kref_put() is called after any 'port' usage. Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/usb-serial.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a59c08..d9dceb4f57b9 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
225bailout_module_put: 225bailout_module_put:
226 module_put(serial->type->driver.owner); 226 module_put(serial->type->driver.owner);
227bailout_kref_put: 227bailout_kref_put:
228 kref_put(&serial->kref, destroy_serial);
229 port->open_count = 0; 228 port->open_count = 0;
230 mutex_unlock(&port->mutex); 229 mutex_unlock(&port->mutex);
230 kref_put(&serial->kref, destroy_serial);
231 return retval; 231 return retval;
232} 232}
233 233