| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Apr 2015 09:36:34 +1000
From: NeilBrown <neilb@...e.de>
To: Olivier Sobrie <olivier@...rie.be>,
"David S. Miller" <davem@...emloft.net>,
Jan Dumon <j.dumon@...ion.com>
Cc: linux-usb@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
GTA04 owners <gta04-owner@...delico.com>
Subject: [PATCH] hso: fix refcnt leak in recent patch.
Prior to
commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
hso: fix crash when device disappears while serial port is open
hso_serial_open would always kref_get(&serial->parent->ref) before
returning zero.
Since that commit, it only calls kref_get when returning 0 if
serial->port.count was zero.
This results in calls to
kref_put(&serial->parent->ref, hso_serial_ref_free);
after hso_serial_ref_free has been called, which dereferences a freed
pointer.
This patch adds the missing kref_get().
Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
Cc: stable@...r.kernel.org (v4.0)
Cc: Olivier Sobrie <olivier@...rie.be>
Signed-off-by: NeilBrown <neilb@...e.de>
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 75befc1bd816..6848fc903340 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1299,6 +1299,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
}
} else {
D1("Port was already open");
+ kref_get(&serial->parent->ref);
}
usb_autopm_put_interface(serial->parent->interface);
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists