[PATCH] fix for do_tty_hangup() access of kfreed memory

do_tty_hangup() does fput() on redirect struct file too early - it could've been the only holder of tty_struct we are working with and in that case we'll end up freeing it from fput() and then both reading and modifying kfreed memory.

[PATCH] fix for do_tty_hangup() access of kfreed memory
do_tty_hangup() does fput() on redirect struct file too early - it could've been the only holder of tty_struct we are working with and in that case we'll end up freeing it from fput() and then both reading and modifying kfreed memory.
16ca3698 · Alexander Viro · Linus Torvalds · 95c2f4d9 · 16ca3698
Commit 16ca3698 authored Oct 21, 2003 by Alexander Viro Committed by Linus Torvalds Oct 21, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

drivers/char/tty_io.c drivers/char/tty_io.c +2 -2

No files found.
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -423,8 +423,6 @@ void do_tty_hangup(void *data)
 		redirect = NULL;
 	}
 	spin_unlock(&redirect_lock);
-	if (f)
-		fput(f);
 	
 	check_tty_count(tty, "do_tty_hangup");
 	file_list_lock();
@@ -512,6 +510,8 @@ void do_tty_hangup(void *data)
 	} else if (tty->driver->hangup)
 		(tty->driver->hangup)(tty);
 	unlock_kernel();
+	if (f)
+		fput(f);
 }

 void tty_hangup(struct tty_struct * tty)