On Mon, 2015-01-05 at 16:04 +0100, Johan Hovold wrote: > Use tty kref to release the fake tty in usb_console_setup to avoid use > after free if the underlying serial driver has acquired a reference. > > Note that using the tty destructor release_one_tty requires some more > state to be initialised. [...] > --- a/drivers/usb/serial/console.c > +++ b/drivers/usb/serial/console.c [...] > @@ -137,14 +139,17 @@ static int usb_console_setup(struct console *co, char *options) > goto reset_open_count; > } > kref_init(&tty->kref); > - tty_port_tty_set(&port->port, tty); > tty->driver = usb_serial_tty_driver; > tty->index = co->index; > init_ldsem(&tty->ldisc_sem); > + INIT_LIST_HEAD(&tty->tty_files); > + kref_get(&tty->driver->kref); > + tty->ops = &usb_console_fake_tty_ops; [...] Do we also need: __module_get(tty->driver->owner); or am I missing something? Ben. -- Ben Hutchings I say we take off; nuke the site from orbit. It's the only way to be sure.
Attachment:
signature.asc
Description: This is a digitally signed message part