[PATCH] usbserial: Fixes use-after-free in serial_open().
If the device is disconnected while serial_open() is executing and either try_module_get() or the device specific open function fails, the kref_put() call in the 'bailout_kref_put' label will free the memory pointed out by 'port'. The subsequent dereferences in the 'bailout_kref_put' label will be invalid. The fix is just to assure kref_put() is called after any 'port' usage. Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Luiz Fernando Capitulino
Greg Kroah-Hartman
parent
16c23f7d88
commit
704936a25b
1 changed files with 1 additions and 1 deletions
|
|
@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
|
|||
bailout_module_put:
|
||||
module_put(serial->type->driver.owner);
|
||||
bailout_kref_put:
|
||||
kref_put(&serial->kref, destroy_serial);
|
||||
port->open_count = 0;
|
||||
mutex_unlock(&port->mutex);
|
||||
kref_put(&serial->kref, destroy_serial);
|
||||
return retval;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue