synchronization in usb_serial_put

Thu, 12 Jul 2007 18:02:33 -0700 

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52f6b5e1f15fa8c06efa69a4b5faa69c04707c92
Commit:     52f6b5e1f15fa8c06efa69a4b5faa69c04707c92
Parent:     efdff60885e36b5091cdc47742dd5768ff4119be
Author:     Benny Halevy <[EMAIL PROTECTED]>
AuthorDate: Tue May 15 11:15:27 2007 +0300
Committer:  Greg Kroah-Hartman <[EMAIL PROTECTED]>
CommitDate: Thu Jul 12 16:34:31 2007 -0700

    synchronization in usb_serial_put
    
    I think there is a race between usb_serial_put() and
    usb_serial_get_by_index() (and get_free_serial()) with regards
    to handling the serial port refcount.
    
    usb_serial_get_by_index() gets a reference on the serial port under
    table_lock while return_serial releases all the returned ports
    from the table under the same lock.  However, the table_lock is not
    taken around the call to kref_put, theoretically allowing to sneak
    in and grab a reference after kref_put has already determined that
    the reference count is zero (and before calling destroy_serial)
    causing use after free.
    
    Signed-off-by: Benny Halevy <[EMAIL PROTECTED]>
    Cc: Oliver Neukum <[EMAIL PROTECTED]>
    Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
---
 drivers/usb/serial/usb-serial.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index e3e3728..a366565 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -122,11 +122,9 @@ static void return_serial(struct usb_serial *serial)
        if (serial == NULL)
                return;
 
-       spin_lock(&table_lock);
        for (i = 0; i < serial->num_ports; ++i) {
                serial_table[serial->minor + i] = NULL;
        }
-       spin_unlock(&table_lock);
 }
 
 static void destroy_serial(struct kref *kref)
@@ -174,7 +172,9 @@ static void destroy_serial(struct kref *kref)
 
 void usb_serial_put(struct usb_serial *serial)
 {
+       spin_lock(&table_lock);
        kref_put(&serial->kref, destroy_serial);
+       spin_unlock(&table_lock);
 }
 
 /*****************************************************************************
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to