If the device is disconnected while serial_open() is executing and either
try_module_get() or the device specific open function fails, the kref_put()
call in the 'bailout_kref_put' label will free the memory pointed out by
'port'.
The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.
The fix is just to assure kref_put() is called after any 'port' usage.
Signed-off-by: Luiz Fernando N. Capitulino <[email protected]>
---
drivers/usb/serial/usb-serial.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
4eaa6dcadd9df93d0297cdff45fe8a30169c7abe
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a..d9dceb4 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struc
bailout_module_put:
module_put(serial->type->driver.owner);
bailout_kref_put:
- kref_put(&serial->kref, destroy_serial);
port->open_count = 0;
mutex_unlock(&port->mutex);
+ kref_put(&serial->kref, destroy_serial);
return retval;
}
--
1.3.1.ge5de
--
Luiz Fernando N. Capitulino
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]