From: Greg Kroah-Hartman Date: Mon, 6 Mar 2006 21:25:52 +0000 (-0800) Subject: [PATCH] USB Serial: fix use-after-free bug in usb-serial core X-Git-Tag: v2.6.16-rc6~110 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91c0bce29e4050a59ee5fdc1192b60bbf8693a6d;p=linux-2.6 [PATCH] USB Serial: fix use-after-free bug in usb-serial core This fixes a use-after-free bug in the usb-serial core. It is simple to trigger this (open a usb-serial port, then yank the device out before closing the port.) Thanks to Stefan Seyfried for reporting this, and to the slab debugging code which enabled it to be tracked down. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds --- diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 4dd6865d32..b5c96e74a9 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -242,8 +242,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp) down(&port->sem); - if (port->open_count == 0) - goto out; + if (port->open_count == 0) { + up(&port->sem); + return; + } --port->open_count; if (port->open_count == 0) { @@ -260,10 +262,8 @@ static void serial_close(struct tty_struct *tty, struct file * filp) module_put(port->serial->type->driver.owner); } - kref_put(&port->serial->kref, destroy_serial); - -out: up(&port->sem); + kref_put(&port->serial->kref, destroy_serial); } static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)