| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.44L0.0908201523490.2670-100000@iolanthe.rowland.org> Date: Thu, 20 Aug 2009 15:33:41 -0400 (EDT) From: Alan Stern <stern@...land.harvard.edu> To: Alan Cox <alan@...rguk.ukuu.org.uk> cc: Greg KH <greg@...ah.com>, Kernel development list <linux-kernel@...r.kernel.org> Subject: More usb-serial problems Alan: I have uncovered yet another problem with usb-serial. The refcount of the tty_struct is getting set wrong. I didn't trace it fully, but here's what I found. Opening the device increases the refcount from 1 to 2. Closing the device decreases the refcount all the way to 0, causing the structure to be deallocated. The next time a program tries to open it, there's an access violation. The two decrements occur in the following paths: tty_release_dev -> serial_close -> tty_port_tty_set -> tty_kref_put tty_release_dev -> release_tty -> tty_kref_put Those both seem reasonable, which suggests that something is wrong with __tty_open. I tried replacing filp->private_data = tty; with filp->private_data = tty_kref_get(tty); but that failed dismally (no tty device could be opened more than once). Maybe you have already run across this problem, but if you haven't, please take a look. Alan Stern -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists