[PATCH] fix for do_tty_hangup() access of kfreed memory

	do_tty_hangup() does fput() on redirect struct file too early -
it could've been the only holder of tty_struct we are working with and in
that case we'll end up freeing it from fput() and then both reading and
modifying kfreed memory.

diff --git a/drivers/char/tty_io.c b/drivers/char/tty_io.c
index 09868cc3da788deebac332d33f36e00b18214852..f68efa6f4e5ff3632135ae510c4c68ee652cc023 100644 (file)
--- a/drivers/char/tty_io.c
+++ b/drivers/char/tty_io.c
@@ -423,8 +423,6 @@ void do_tty_hangup(void *data)
                redirect = NULL;
        }
        spin_unlock(&redirect_lock);
-       if (f)
-               fput(f);
        
        check_tty_count(tty, "do_tty_hangup");
        file_list_lock();
@@ -512,6 +510,8 @@ void do_tty_hangup(void *data)
        } else if (tty->driver->hangup)
                (tty->driver->hangup)(tty);
        unlock_kernel();
+       if (f)
+               fput(f);
 }
 
 void tty_hangup(struct tty_struct * tty)