diff options
author | Luiz Fernando Capitulino <lcapitulino@mandriva.com.br> | 2006-05-11 21:34:17 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-05-12 14:58:09 -0400 |
commit | 704936a25bda9bb12e35bb222d5e3f26186dc279 (patch) | |
tree | 723b247a002e47be72d4ba203277870de0fea220 | |
parent | 16c23f7d88cbcce491f9370b2846fad66e8ef319 (diff) |
[PATCH] usbserial: Fixes use-after-free in serial_open().
If the device is disconnected while serial_open() is executing and
either try_module_get() or the device specific open function fails, the
kref_put() call in the 'bailout_kref_put' label will free the memory
pointed out by 'port'.
The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.
The fix is just to assure kref_put() is called after any 'port' usage.
Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/serial/usb-serial.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 071f86a59c08..d9dceb4f57b9 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c | |||
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp) | |||
225 | bailout_module_put: | 225 | bailout_module_put: |
226 | module_put(serial->type->driver.owner); | 226 | module_put(serial->type->driver.owner); |
227 | bailout_kref_put: | 227 | bailout_kref_put: |
228 | kref_put(&serial->kref, destroy_serial); | ||
229 | port->open_count = 0; | 228 | port->open_count = 0; |
230 | mutex_unlock(&port->mutex); | 229 | mutex_unlock(&port->mutex); |
230 | kref_put(&serial->kref, destroy_serial); | ||
231 | return retval; | 231 | return retval; |
232 | } | 232 | } |
233 | 233 | ||