usb serial slab use fix

1 files changed, 42 insertions, 0 deletions

diff --git a/usb/usb-serial-fix-use-after-free.patch b/usb/usb-serial-fix-use-after-free.patch
new file mode 100644
index 0000000000000..a1d7000badb0a
--- /dev/null
+++ b/usb/usb-serial-fix-use-after-free.patch
@@ -0,0 +1,42 @@
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Subject: USB Serial: fix use-after-free bug in usb-serial core
+
+This fixes a use-after-free bug in the usb-serial core.  It is simple to
+trigger this (open a usb-serial port, then yank the device out before
+closing the port.)  Thanks to Stefan Seyfried <seife@suse.de> for
+reporting this, and to the slab debugging code which enabled it to be
+tracked down.
+
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/usb/serial/usb-serial.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- gregkh-2.6.orig/drivers/usb/serial/usb-serial.c
++++ gregkh-2.6/drivers/usb/serial/usb-serial.c
+@@ -242,8 +242,10 @@ static void serial_close(struct tty_stru
+ 
+ 	down(&port->sem);
+ 
+-	if (port->open_count == 0)
+-		goto out;
++	if (port->open_count == 0) {
++		up(&port->sem);
++		return;
++	}
+ 
+ 	--port->open_count;
+ 	if (port->open_count == 0) {
+@@ -260,10 +262,8 @@ static void serial_close(struct tty_stru
+ 		module_put(port->serial->type->driver.owner);
+ 	}
+ 
+-	kref_put(&port->serial->kref, destroy_serial);
+-
+-out:
+ 	up(&port->sem);
++	kref_put(&port->serial->kref, destroy_serial);
+ }
+ 
+ static int serial_write (struct tty_struct * tty, const unsigned char *buf, int count)