summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorLuiz Fernando Capitulino <lcapitulino@mandriva.com.br>2006-05-12 03:34:17 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>2006-05-12 20:58:09 +0200
commit704936a25bda9bb12e35bb222d5e3f26186dc279 (patch)
tree723b247a002e47be72d4ba203277870de0fea220 /drivers
parent[PATCH] USB: Emagic USB firmware loading fixes (diff)
downloadlinux-704936a25bda9bb12e35bb222d5e3f26186dc279.tar.xz
linux-704936a25bda9bb12e35bb222d5e3f26186dc279.zip
[PATCH] usbserial: Fixes use-after-free in serial_open().
If the device is disconnected while serial_open() is executing and either try_module_get() or the device specific open function fails, the kref_put() call in the 'bailout_kref_put' label will free the memory pointed out by 'port'. The subsequent dereferences in the 'bailout_kref_put' label will be invalid. The fix is just to assure kref_put() is called after any 'port' usage. Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/serial/usb-serial.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a59c08..d9dceb4f57b9 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
bailout_module_put:
module_put(serial->type->driver.owner);
bailout_kref_put:
- kref_put(&serial->kref, destroy_serial);
port->open_count = 0;
mutex_unlock(&port->mutex);
+ kref_put(&serial->kref, destroy_serial);
return retval;
}