git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Jia-Ju Bai <baijiaju1990@gmail.com>
	Tue, 8 Jan 2019 13:04:48 +0000 (21:04 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 27 Feb 2019 09:08:55 +0000 (10:08 +0100)
commit	3dd0ce706e0bcec806a68adf9598b7c31405e03e
tree	142a6bbe60d3e81317bbb7007195bb6dd5677a55	tree \| snapshot
parent	1b8742ba98a5bf0b5d0e30fb61cbe1c61fa4e88b	commit \| diff

isdn: i4l: isdn_tty: Fix some concurrency double-free bugs

[ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ]

The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>