If the device is disconnected while serial_open() is executing and either
try_module_get() or the device specific open function fails, the kref_put()
call in the 'bailout_kref_put' label will free the memory pointed out by
'port'.

 The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.

 The fix is just to assure kref_put() is called after any 'port' usage.

Signed-off-by: Luiz Fernando N. Capitulino <[EMAIL PROTECTED]>

---

 drivers/usb/serial/usb-serial.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

4eaa6dcadd9df93d0297cdff45fe8a30169c7abe
diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a..d9dceb4 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struc
 bailout_module_put:
        module_put(serial->type->driver.owner);
 bailout_kref_put:
-       kref_put(&serial->kref, destroy_serial);
        port->open_count = 0;
        mutex_unlock(&port->mutex);
+       kref_put(&serial->kref, destroy_serial);
        return retval;
 }
 
-- 
1.3.1.ge5de



-- 
Luiz Fernando N. Capitulino


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
linux-usb-devel@lists.sourceforge.net
To unsubscribe, use the last form field at:
https://lists.sourceforge.net/lists/listinfo/linux-usb-devel

Reply via email to