diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2006-03-06 13:57:37 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-03-06 13:57:37 -0800 |
commit | 98157f8073f8608d5180763c3b2123aa2a640a3d (patch) | |
tree | 0fa0245d2720261364d30a08344c8a5de3d84710 /usb | |
parent | feb53285401b9f67b1671e9645b84cd5c2ef7101 (diff) | |
download | patches-98157f8073f8608d5180763c3b2123aa2a640a3d.tar.gz |
usb serial slab use fix
Diffstat (limited to 'usb')
-rw-r--r-- | usb/usb-serial-fix-use-after-free.patch | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/usb/usb-serial-fix-use-after-free.patch b/usb/usb-serial-fix-use-after-free.patch new file mode 100644 index 0000000000000..a1d7000badb0a --- /dev/null +++ b/usb/usb-serial-fix-use-after-free.patch @@ -0,0 +1,42 @@ +From: Greg Kroah-Hartman <gregkh@suse.de> +Subject: USB Serial: fix use-after-free bug in usb-serial core + +This fixes a use-after-free bug in the usb-serial core. It is simple to +trigger this (open a usb-serial port, then yank the device out before +closing the port.) Thanks to Stefan Seyfried <seife@suse.de> for +reporting this, and to the slab debugging code which enabled it to be +tracked down. + +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/usb-serial.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c ++++ gregkh-2.6/drivers/usb/serial/usb-serial.c +@@ -242,8 +242,10 @@ static void serial_close(struct tty_stru + + down(&port->sem); + +- if (port->open_count == 0) +- goto out; ++ if (port->open_count == 0) { ++ up(&port->sem); ++ return; ++ } + + --port->open_count; + if (port->open_count == 0) { +@@ -260,10 +262,8 @@ static void serial_close(struct tty_stru + module_put(port->serial->type->driver.owner); + } + +- kref_put(&port->serial->kref, destroy_serial); +- +-out: + up(&port->sem); ++ kref_put(&port->serial->kref, destroy_serial); + } + + static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count) |