Commit 704936a2 authored by Luiz Fernando Capitulino's avatar Luiz Fernando Capitulino Committed by Greg Kroah-Hartman

[PATCH] usbserial: Fixes use-after-free in serial_open().

If the device is disconnected while serial_open() is executing and
either try_module_get() or the device specific open function fails, the
kref_put() call in the 'bailout_kref_put' label will free the memory
pointed out by 'port'.

The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.

The fix is just to assure kref_put() is called after any 'port' usage.
Signed-off-by: default avatarLuiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 16c23f7d
...@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp) ...@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
bailout_module_put: bailout_module_put:
module_put(serial->type->driver.owner); module_put(serial->type->driver.owner);
bailout_kref_put: bailout_kref_put:
kref_put(&serial->kref, destroy_serial);
port->open_count = 0; port->open_count = 0;
mutex_unlock(&port->mutex); mutex_unlock(&port->mutex);
kref_put(&serial->kref, destroy_serial);
return retval; return retval;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment