git.baikalelectronics.ru Git - kernel.git/commit

author	Jia-Ju Bai <baijiaju1990@gmail.com>
	Tue, 8 Jan 2019 13:04:48 +0000 (21:04 +0800)
committer	David S. Miller <davem@davemloft.net>
	Sat, 12 Jan 2019 01:56:47 +0000 (17:56 -0800)
commit	7a4e1deab6a63edafa41b2a832a6fa3a286675ad
tree	f6090d0aa33f29b60ad0460e63e9916c7a0997a2	tree \| snapshot
parent	11f612694100f362b868a8d63faf8ae3fab0fae9	commit \| diff

isdn: i4l: isdn_tty: Fix some concurrency double-free bugs

The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>