Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp327329ybt;
        Sat, 13 Jun 2020 05:53:52 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxQXRw9qjXS1PjveJOFFbOx4qJB2lHFKq74amlkObAoRF3QAA/77Ljbto0/cc/JsUWXcOob
X-Received: by 2002:a17:906:b845:: with SMTP id ga5mr17508640ejb.300.1592052832633;
        Sat, 13 Jun 2020 05:53:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592052832; cv=none;
        d=google.com; s=arc-20160816;
        b=tM/G10cjdD5f4NVN3teNFK4mRlDiitOOPre4aUwDvBkhHUzl9NB7rVGDF0oc5K+9Qo
         vhGB7M5cKwz48cx1bHySPLMq6wHtKeTZGilZcwYFrL8Z4svbm6MEmVYORoiJAzeasxfB
         XS07uYU91f7v7ZzS7AH/Kcv/TqBmdViSxJXvvgEz9lCobtXzXIzJK6oCo/M3Ts/7Up8S
         rJ2Ni0tuS8qDiLe8sjDTQT45UNjn3WKFeylG4nLr+h9Nsm3z+euF1bJV35fdcGqCiHdg
         ez83pSP72LJTeEmsHDxCiYdqB7viFN/CNB4v5ZSzQoCZGnawMHsv9qQtyOZ6KJS2/FRw
         EE5w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Suh4kyMQAm/69hp5zrf+9wckzOzZ4rI36X3FQdKEKTs=;
        b=HtNjz46nuqcfu7ycdDef2HrIdPbvl0Gq0A7KURIyWWNvQUR9W90Akjms/ca2h3eZxO
         Mlsnm/vEserYfw1Hlcjmlk82GRpyhlOqi22ySaCrPEXVwdIalGWGbmCGLNMKdvPqav0H
         dLGcPauF1UFsTERdaCub07aBNMaIWU9n3ofqWUPV3fpFFuQkiNYFPFUOIeka0/OmEuYm
         6JMlD3IpjP7pf9VeFA0ugkO1gKAgyRrqm21QPpjRr6/w0HVb/jxh7y4sTcbFfXRa6Vy7
         yM6rXE1Ce70ctSfiTOVxp8Z19UW8VogjjrDruoGy8+aRa1Xx46Q/YGuONnrrmJkaWS+Z
         C6nw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=nLWTGCHb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id do5si7447921ejc.105.2020.06.13.05.53.29;
        Sat, 13 Jun 2020 05:53:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=nLWTGCHb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726258AbgFMMvl (ORCPT <rfc822;crosarcplusplustest@gmail.com>
        + 99 others); Sat, 13 Jun 2020 08:51:41 -0400
Received: from mail.fudan.edu.cn ([202.120.224.10]:57918 "EHLO fudan.edu.cn"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726021AbgFMMvj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 13 Jun 2020 08:51:39 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=fudan.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date:
        Message-Id; bh=Suh4kyMQAm/69hp5zrf+9wckzOzZ4rI36X3FQdKEKTs=; b=n
        LWTGCHbGq7cZpM0l2kHBIOH05bflddUP8iMNn4pb4pnhOXY0HWqOCyLXkeogXpOr
        Hei4W7osRHqWCcW15Fyeden50q14qy5Ohmo8qE4Gft20750RkB8XYZGHe0IiPgOZ
        E8kQAGvybdZAJfNapb7fY1UhgaYjCYOOMMtvm9h8Wc=
Received: from localhost.localdomain (unknown [120.229.255.202])
        by app1 (Coremail) with SMTP id XAUFCgC3GBLPy+ReV9cYAA--.20581S3;
        Sat, 13 Jun 2020 20:51:29 +0800 (CST)
From:   Xiyu Yang <xiyuyang19@fudan.edu.cn>
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jiri Slaby <jslaby@suse.com>, linux-serial@vger.kernel.org,
        linux-kernel@vger.kernel.org
Cc:     yuanxzhang@fudan.edu.cn, kjlu@umn.edu,
        Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>
Subject: [PATCH] tty: serial_core: Fix uart_state leak when port shutdown
Date:   Sat, 13 Jun 2020 20:51:04 +0800
Message-Id: <1592052665-95042-1-git-send-email-xiyuyang19@fudan.edu.cn>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: XAUFCgC3GBLPy+ReV9cYAA--.20581S3
X-Coremail-Antispam: 1UD129KBjvJXoW7ZFW3XF47XrWxurWxJw13Jwb_yoW8Gw4kpF
        sxKr9IyF95Wa1xXa1DCw1kAFWY9a4qqFya9ry0gwn8XrWYqrySkr1YyrWqvF4UG3srAryr
        AF1vyws0yF1DAFUanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUvG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U
        JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV
        Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC
        0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr
        1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE
        rcIFxwCY02Avz4vE14v_Xr1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr
        1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE
        14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7
        IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY
        6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa
        73UjIFyTuYvjfUOo7KUUUUU
X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

uart_shutdown() invokes uart_port_lock(), which returns a reference of
the uart_port object if increases the refcount of the uart_state object
successfully or returns NULL if fails.

However, uart_shutdown() don't take the return value of uart_port_lock()
as the new uart_port object to "uport" and use the old "uport" instead
to balance refcount in uart_port_unlock(), which may cause a redundant
decrement of refcount occurred when the new "uport" equals to NULL and
then cause a potential memory leak.

Fix this issue by update the "uport" object to the return value of
uart_port_lock() when invoking uart_port_lock().

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/tty/serial/serial_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
index 57840cf90388..ab8756ef2b60 100644
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -313,7 +313,7 @@ static void uart_shutdown(struct tty_struct *tty, struct uart_state *state)
 	 * console driver may need to allocate/free a debug object, which
 	 * can endup in printk() recursion.
 	 */
-	uart_port_lock(state, flags);
+	uport = uart_port_lock(state, flags);
 	xmit_buf = state->xmit.buf;
 	state->xmit.buf = NULL;
 	uart_port_unlock(uport, flags);
-- 
2.7.4