From: Luiz Fernando Capitulino Date: Fri, 12 May 2006 01:34:17 +0000 (-0300) Subject: [PATCH] usbserial: Fixes use-after-free in serial_open(). X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=704936a25bda9bb12e35bb222d5e3f26186dc279;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] usbserial: Fixes use-after-free in serial_open(). If the device is disconnected while serial_open() is executing and either try_module_get() or the device specific open function fails, the kref_put() call in the 'bailout_kref_put' label will free the memory pointed out by 'port'. The subsequent dereferences in the 'bailout_kref_put' label will be invalid. The fix is just to assure kref_put() is called after any 'port' usage. Signed-off-by: Luiz Fernando N. Capitulino Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c index 071f86a59c0..d9dceb4f57b 100644 --- a/drivers/usb/serial/usb-serial.c +++ b/drivers/usb/serial/usb-serial.c @@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp) bailout_module_put: module_put(serial->type->driver.owner); bailout_kref_put: - kref_put(&serial->kref, destroy_serial); port->open_count = 0; mutex_unlock(&port->mutex); + kref_put(&serial->kref, destroy_serial); return retval; }