From 91c0bce29e4050a59ee5fdc1192b60bbf8693a6d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Mar 2006 13:25:52 -0800 Subject: [PATCH] USB Serial: fix use-after-free bug in usb-serial core This fixes a use-after-free bug in the usb-serial core. It is simple to trigger this (open a usb-serial port, then yank the device out before closing the port.) Thanks to Stefan Seyfried for reporting this, and to the slab debugging code which enabled it to be tracked down. Signed-off-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds --- drivers/usb/serial/usb-serial.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 4dd6865d32b0b..b5c96e74a903c 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -242,8 +242,10 @@ static void serial_close(struct tty_struct *tty, struct file * filp) down(&port->sem); - if (port->open_count == 0) - goto out; + if (port->open_count == 0) { + up(&port->sem); + return; + } --port->open_count; if (port->open_count == 0) { @@ -260,10 +262,8 @@ static void serial_close(struct tty_struct *tty, struct file * filp) module_put(port->serial->type->driver.owner); } - kref_put(&port->serial->kref, destroy_serial); - -out: up(&port->sem); + kref_put(&port->serial->kref, destroy_serial); } static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count) -- cgit 1.2.3-korg