Subject: [PATCH 1/2] usbserial: Fixes use-after-free in serial_open().


If the device is disconnected while serial_open() is executing and either
try_module_get() or the device specific open function fails, the kref_put()
call in the 'bailout_kref_put' label will free the memory pointed out by
'port'.

The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.

The fix is just to assure kref_put() is called after any 'port' usage.

Signed-off-by: Luiz Fernando N. Capitulino <[email protected]>

---

drivers/usb/serial/usb-serial.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

4eaa6dcadd9df93d0297cdff45fe8a30169c7abe
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a..d9dceb4 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struc
bailout_module_put:
module_put(serial->type->driver.owner);
bailout_kref_put:
- kref_put(&serial->kref, destroy_serial);
port->open_count = 0;
mutex_unlock(&port->mutex);
+ kref_put(&serial->kref, destroy_serial);
return retval;
}

--
1.3.1.ge5de



--
Luiz Fernando N. Capitulino