From: Benny Halevy <bhalevy@panasas.com>
Date: Tue, 15 May 2007 08:15:27 +0000 (+0300)
Subject: synchronization in usb_serial_put
X-Git-Tag: v2.6.23-rc1~1083^2~81
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=52f6b5e1f15fa8c06efa69a4b5faa69c04707c92;p=pandora-kernel.git

synchronization in usb_serial_put

I think there is a race between usb_serial_put() and
usb_serial_get_by_index() (and get_free_serial()) with regards
to handling the serial port refcount.

usb_serial_get_by_index() gets a reference on the serial port under
table_lock while return_serial releases all the returned ports
from the table under the same lock.  However, the table_lock is not
taken around the call to kref_put, theoretically allowing to sneak
in and grab a reference after kref_put has already determined that
the reference count is zero (and before calling destroy_serial)
causing use after free.

Signed-off-by: Benny Halevy <bhalevy@ns1.bhalevy.com>
Cc: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

Reading git-diff-tree failed