From 704936a25bda9bb12e35bb222d5e3f26186dc279 Mon Sep 17 00:00:00 2001
From: Luiz Fernando Capitulino <lcapitulino@mandriva.com.br>
Date: Thu, 11 May 2006 22:34:17 -0300
Subject: [PATCH] [PATCH] usbserial: Fixes use-after-free in serial_open().

If the device is disconnected while serial_open() is executing and
either try_module_get() or the device specific open function fails, the
kref_put() call in the 'bailout_kref_put' label will free the memory
pointed out by 'port'.

The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.

The fix is just to assure kref_put() is called after any 'port' usage.

Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
 drivers/usb/serial/usb-serial.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c
index 071f86a59c086..d9dceb4f57b9e 100644
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -225,9 +225,9 @@ static int serial_open (struct tty_struct *tty, struct file * filp)
 bailout_module_put:
 	module_put(serial->type->driver.owner);
 bailout_kref_put:
-	kref_put(&serial->kref, destroy_serial);
 	port->open_count = 0;
 	mutex_unlock(&port->mutex);
+	kref_put(&serial->kref, destroy_serial);
 	return retval;
 }
 
-- 
2.30.2