| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150414110303.66edcfee@notabene.brown>
Date: Tue, 14 Apr 2015 11:03:03 +1000
From: NeilBrown <neilb@...e.de>
To: Olivier Sobrie <olivier@...rie.be>,
"David S. Miller" <davem@...emloft.net>,
Jan Dumon <j.dumon@...ion.com>
Cc: linux-usb@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
GTA04 owners <gta04-owner@...delico.com>
Subject: Re: [PATCH] hso: fix refcnt leak in recent patch.
On Tue, 14 Apr 2015 09:36:34 +1000 NeilBrown <neilb@...e.de> wrote:
>
>
> Prior to
> commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> hso: fix crash when device disappears while serial port is open
>
> hso_serial_open would always kref_get(&serial->parent->ref) before
> returning zero.
> Since that commit, it only calls kref_get when returning 0 if
> serial->port.count was zero.
>
> This results in calls to
> kref_put(&serial->parent->ref, hso_serial_ref_free);
>
> after hso_serial_ref_free has been called, which dereferences a freed
> pointer.
>
> This patch adds the missing kref_get().
>
> Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
> Cc: stable@...r.kernel.org (v4.0)
> Cc: Olivier Sobrie <olivier@...rie.be>
> Signed-off-by: NeilBrown <neilb@...e.de>
>
> diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
> index 75befc1bd816..6848fc903340 100644
> --- a/drivers/net/usb/hso.c
> +++ b/drivers/net/usb/hso.c
> @@ -1299,6 +1299,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
> }
> } else {
> D1("Port was already open");
> + kref_get(&serial->parent->ref);
> }
>
> usb_autopm_put_interface(serial->parent->interface);
Sorry - that was wrong.
I'm getting crashes which strongly suggest the kref_put is being called extra
times, but I misunderstood the code and was hasty.
Maybe this instead?
Thanks,
NeilBrown
From: NeilBrown <neil@...wn.name>
Date: Tue, 14 Apr 2015 09:33:03 +1000
Subject: [PATCH] hso: fix refcnt leak in recent patch.
Prior to
commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
hso: fix crash when device disappears while serial port is open
a kref_get on serial->parent->ref would be taken on each open,
and it would be kref_put on each close.
Now the kref_put happens when the tty_struct is finally put (via
the 'cleanup') providing tty->driver_data has been set.
So the kref_get must be called exact once when tty->driver_data is
set.
With the current code, if the first open fails the kref_get() is never
called, but the kref_put() is called, leaving to a crash.
So change the kref_get call to happen exactly when ->driver_data is
changed from NULL to non-NULL.
Fixes: commit 29bd3bc1194c624ce863cab2a7da9bc1f0c3b47b
Cc: stable@...r.kernel.org (v4.0)
Cc: Olivier Sobrie <olivier@...rie.be>
Signed-off-by: NeilBrown <neil@...wn.name>
diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 75befc1bd816..17fd3820263a 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -1278,6 +1278,8 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
D1("Opening %d", serial->minor);
/* setup */
+ if (tty->driver_data == NULL)
+ kref_get(&serial->parent->ref);
tty->driver_data = serial;
tty_port_tty_set(&serial->port, tty);
@@ -1294,8 +1296,6 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
if (result) {
hso_stop_serial_device(serial->parent);
serial->port.count--;
- } else {
- kref_get(&serial->parent->ref);
}
} else {
D1("Port was already open");
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists