Re: [PATCH] USB: console: fix potential use after free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2015-01-05 at 16:04 +0100, Johan Hovold wrote:
> Use tty kref to release the fake tty in usb_console_setup to avoid use
> after free if the underlying serial driver has acquired a reference.
> 
> Note that using the tty destructor release_one_tty requires some more
> state to be initialised.
[...]
> --- a/drivers/usb/serial/console.c
> +++ b/drivers/usb/serial/console.c
[...]
> @@ -137,14 +139,17 @@ static int usb_console_setup(struct console *co, char *options)
>  				goto reset_open_count;
>  			}
>  			kref_init(&tty->kref);
> -			tty_port_tty_set(&port->port, tty);
>  			tty->driver = usb_serial_tty_driver;
>  			tty->index = co->index;
>  			init_ldsem(&tty->ldisc_sem);
> +			INIT_LIST_HEAD(&tty->tty_files);
> +			kref_get(&tty->driver->kref);
> +			tty->ops = &usb_console_fake_tty_ops;
[...]

Do we also need:
			__module_get(tty->driver->owner);
or am I missing something?

Ben.

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]