review.tizen.org Git - platform/kernel/linux-amlogic.git/commit

author	Jia-Ju Bai <baijiaju1990@gmail.com>
	Tue, 8 Jan 2019 13:04:48 +0000 (21:04 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 27 Feb 2019 09:06:59 +0000 (10:06 +0100)
commit	46154d295b82ff4f470dd3934440433ce333825b
tree	34846002f68ee8c8e63f6dd8e96b42e7f11c7c44	tree \| snapshot
parent	ee3cf5aee221029dce651ab0cf4c736ba92ade62	commit \| diff

isdn: i4l: isdn_tty: Fix some concurrency double-free bugs

[ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ]

The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>