summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuiz Fernando Capitulino <lcapitulino@mandriva.com.br>2006-05-12 03:34:24 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>2006-05-12 20:58:09 +0200
commit71a84163ca6b4e36744978385e94150af32f9d75 (patch)
tree2f00bcc4c102660e55c2ff840ce4db6d44ede988
parent[PATCH] usbserial: Fixes use-after-free in serial_open(). (diff)
downloadlinux-71a84163ca6b4e36744978385e94150af32f9d75.tar.xz
linux-71a84163ca6b4e36744978385e94150af32f9d75.zip
[PATCH] usbserial: Fixes leak in serial_open() error path.
If serial_open() fails at the port assignment or mutex_lock_interruptible() is interrupted, the 'serial' object will never be freed. We should call kref_put() when those errors happens. Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/serial/usb-serial.c17
1 files changed, 11 insertions, 6 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index d9dceb4f57b9..9c36f0ece20f 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -189,11 +189,15 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
portNumber = tty->index - serial->minor;
port = serial->port[portNumber];
- if (!port)
- return -ENODEV;
+ if (!port) {
+ retval = -ENODEV;
+ goto bailout_kref_put;
+ }
- if (mutex_lock_interruptible(&port->mutex))
- return -ERESTARTSYS;
+ if (mutex_lock_interruptible(&port->mutex)) {
+ retval = -ERESTARTSYS;
+ goto bailout_kref_put;
+ }
++port->open_count;
@@ -209,7 +213,7 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
* safe because we are called with BKL held */
if (!try_module_get(serial->type->driver.owner)) {
retval = -ENODEV;
- goto bailout_kref_put;
+ goto bailout_mutex_unlock;
}
/* only call the device specific open if this
@@ -224,9 +228,10 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
bailout_module_put:
module_put(serial->type->driver.owner);
-bailout_kref_put:
+bailout_mutex_unlock:
port->open_count = 0;
mutex_unlock(&port->mutex);
+bailout_kref_put:
kref_put(&serial->kref, destroy_serial);
return retval;
}