linux/drivers/usb/serial
Benny Halevy 52f6b5e1f1 synchronization in usb_serial_put
I think there is a race between usb_serial_put() and
usb_serial_get_by_index() (and get_free_serial()) with regards
to handling the serial port refcount.

usb_serial_get_by_index() gets a reference on the serial port under
table_lock while return_serial releases all the returned ports
from the table under the same lock.  However, the table_lock is not
taken around the call to kref_put, theoretically allowing to sneak
in and grab a reference after kref_put has already determined that
the reference count is zero (and before calling destroy_serial)
causing use after free.

Signed-off-by: Benny Halevy <bhalevy@ns1.bhalevy.com>
Cc: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-07-12 16:34:31 -07:00
..
aircable.c Fix misspellings collected by members of KJ list. 2007-05-09 07:14:03 +02:00
airprime.c USB: remove duplicated device id in airprime driver 2007-03-26 14:17:48 -07:00
ark3116.c USB: Fix debug output of ark3116 2007-05-22 23:45:50 -07:00
belkin_sa.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
belkin_sa.h
bus.c USB serial: add dynamic id support to usb-serial core 2007-02-07 15:44:33 -08:00
ChangeLog.history
console.c [PATCH] tty: switch to ktermios 2006-12-08 08:28:57 -08:00
cp2101.c USB: CP2101 New Device IDs 2007-04-27 13:28:42 -07:00
cyberjack.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
cypress_m8.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
cypress_m8.h
digi_acceleport.c USB: digi_acceleport further buffer clean up 2007-07-12 16:34:29 -07:00
empeg.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
ezusb_convert.pl
ezusb.c USB: kmemdup() cleanup in drivers/usb/ 2006-12-01 14:23:27 -08:00
ftdi_sio.c USB: ftdi_sio.c: Allow setting latency timer on FT232RL 2007-07-12 16:29:50 -07:00
ftdi_sio.h USB: ftdio_sio: New IPlus device ID 2007-06-25 23:38:06 -07:00
funsoft.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
garmin_gps.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
generic.c USB: generic usb serial to new buffering scheme 2007-07-12 16:29:51 -07:00
hp4x.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
io_16654.h
io_edgeport.c USB: fix race leading to use after free in io_edgeport 2007-06-25 23:38:06 -07:00
io_edgeport.h USB: io_edgeport: Convert to generic boolean 2007-04-27 13:28:36 -07:00
io_fw_boot2.h
io_fw_boot.h
io_fw_down2.h
io_fw_down3.h USB: io_ti: Digi EdgePort update for new devices 2007-07-12 16:29:48 -07:00
io_fw_down.h
io_ionsp.h
io_tables.h USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
io_ti.c USB: io_ti: sleep with spinlock held detected by automatic tool 2007-07-12 16:34:31 -07:00
io_ti.h
io_usbvend.h USB: io_ti: Digi EdgePort update for new devices 2007-07-12 16:29:48 -07:00
ipaq.c Adding PID of SHARP S01SH for ipaq.c 2007-04-27 13:28:33 -07:00
ipaq.h
ipw.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
ir-usb.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
Kconfig USB: oti6858 usb-serial driver (in Nokia CA-42 cable) 2007-07-12 16:29:47 -07:00
keyspan_mpr_fw.h
keyspan_pda_fw.h
keyspan_pda.c [PATCH] Char: tty_wakeup cleanup 2007-02-11 10:51:26 -08:00
keyspan_pda.S
keyspan_usa18x_fw.h
keyspan_usa19_fw.h
keyspan_usa19qi_fw.h
keyspan_usa19qw_fw.h
keyspan_usa19w_fw.h
keyspan_usa26msg.h
keyspan_usa28_fw.h
keyspan_usa28msg.h
keyspan_usa28x_fw.h
keyspan_usa28xa_fw.h
keyspan_usa28xb_fw.h
keyspan_usa49msg.h
keyspan_usa49w_fw.h
keyspan_usa49wlc_fw.h
keyspan_usa67msg.h USB Serial Keyspan: add support for USA-49WG & USA-28XG 2007-07-12 16:29:45 -07:00
keyspan_usa90msg.h
keyspan.c USB Serial Keyspan: add support for USA-49WG & USA-28XG 2007-07-12 16:29:45 -07:00
keyspan.h USB Serial Keyspan: add support for USA-49WG & USA-28XG 2007-07-12 16:29:45 -07:00
kl5kusb105.c USB: fix error handling in kl5kusb 2007-04-27 13:28:38 -07:00
kl5kusb105.h
kobil_sct.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
kobil_sct.h
Makefile USB: oti6858 usb-serial driver (in Nokia CA-42 cable) 2007-07-12 16:29:47 -07:00
Makefile-keyspan_pda_fw
mct_u232.c USB: RTS/CTS handshaking support, DTR fixes for MCT U232 serial adapter 2007-07-12 16:29:48 -07:00
mct_u232.h USB: RTS/CTS handshaking support, DTR fixes for MCT U232 serial adapter 2007-07-12 16:29:48 -07:00
mos7720.c USB: fix endianness in mos7720 2007-04-27 13:28:36 -07:00
mos7840.c USB: remove useless check in mos7840 found by coverity 2007-05-22 23:45:48 -07:00
navman.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
omninet.c USB: fix omninet memory leak found by coverity 2007-05-22 23:45:48 -07:00
option.c USB: option: fix usage of urb->status abuse 2007-07-12 16:34:30 -07:00
oti6858.c USB: oti6858 usb-serial driver (in Nokia CA-42 cable) 2007-07-12 16:29:47 -07:00
oti6858.h USB: oti6858 usb-serial driver (in Nokia CA-42 cable) 2007-07-12 16:29:47 -07:00
pl2303.c USB: flow control fix for pl2303 2007-07-12 16:29:51 -07:00
pl2303.h USB: PL2303: Willcom WS002IN Support. 2007-02-16 15:32:17 -08:00
safe_serial.c USB serial: add driver pointer to all usb-serial drivers 2007-02-07 15:44:34 -08:00
sierra.c USB: Add support for Sierra Wireless Aircard 595U 2007-05-22 23:45:51 -07:00
ti_fw_3410.h
ti_fw_5052.h
ti_usb_3410_5052.c USB: ti serial driver sleeps with spinlock held 2007-06-25 23:38:05 -07:00
ti_usb_3410_5052.h usb-serial: ti_usb, TI ez430 development tool ID 2006-12-01 14:23:30 -08:00
usb_debug.c USB: add driver for the USB debug devices 2006-12-01 14:25:52 -08:00
usb-serial.c synchronization in usb_serial_put 2007-07-12 16:34:31 -07:00
visor.c USB: visor driver adapted to new tty buffering 2007-07-12 16:29:51 -07:00
visor.h USB: remove duplicate device id from visor 2007-02-07 15:44:40 -08:00
whiteheat_fw.h
whiteheat.c USB: whiteheat driver update 2007-07-12 16:34:28 -07:00
whiteheat.h USB: whiteheat: Convert to generic boolean 2007-04-27 13:28:39 -07:00
xircom_pgs_fw.h
xircom_pgs.S