[PATCH] USB Serial: fix use-after-free bug in usb-serial core
This fixes a use-after-free bug in the usb-serial core. It is simple to trigger this (open a usb-serial port, then yank the device out before closing the port.) Thanks to Stefan Seyfried <seife@suse.de> for reporting this, and to the slab debugging code which enabled it to be tracked down. Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Greg Kroah-Hartman
Linus Torvalds
Родитель
b6f57864ee
Коммит
91c0bce29e
|
|
@ -242,8 +242,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
|||
|
||||
down(&port->sem);
|
||||
|
||||
if (port->open_count == 0)
|
||||
goto out;
|
||||
if (port->open_count == 0) {
|
||||
up(&port->sem);
|
||||
return;
|
||||
}
|
||||
|
||||
--port->open_count;
|
||||
if (port->open_count == 0) {
|
||||
|
|
@ -260,10 +262,8 @@ static void serial_close(struct tty_struct *tty, struct file * filp)
|
|||
module_put(port->serial->type->driver.owner);
|
||||
}
|
||||
|
||||
kref_put(&port->serial->kref, destroy_serial);
|
||||
|
||||
out:
|
||||
up(&port->sem);
|
||||
kref_put(&port->serial->kref, destroy_serial);
|
||||
}
|
||||
|
||||
static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче