From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jia-Ju Bai <baijiaju1990@gmail.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 23/34] isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
Date: Tue, 12 Feb 2019 21:39:41 -0500 [thread overview]
Message-ID: <20190213023952.21311-23-sashal@kernel.org> (raw)
In-Reply-To: <20190213023952.21311-1-sashal@kernel.org>
From: Jia-Ju Bai <baijiaju1990@gmail.com>
[ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ]
The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.
isdn_tty_tiocmset
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
isdn_tty_set_termios
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
Thus, some concurrency double-free bugs may occur.
These possible bugs are found by a static tool written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/isdn/i4l/isdn_tty.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
index d30130c8d0f3..b107452e16df 100644
--- a/drivers/isdn/i4l/isdn_tty.c
+++ b/drivers/isdn/i4l/isdn_tty.c
@@ -1456,15 +1456,19 @@ isdn_tty_set_termios(struct tty_struct *tty, struct ktermios *old_termios)
{
modem_info *info = (modem_info *) tty->driver_data;
+ mutex_lock(&modem_info_mutex);
if (!old_termios)
isdn_tty_change_speed(info);
else {
if (tty->termios.c_cflag == old_termios->c_cflag &&
tty->termios.c_ispeed == old_termios->c_ispeed &&
- tty->termios.c_ospeed == old_termios->c_ospeed)
+ tty->termios.c_ospeed == old_termios->c_ospeed) {
+ mutex_unlock(&modem_info_mutex);
return;
+ }
isdn_tty_change_speed(info);
}
+ mutex_unlock(&modem_info_mutex);
}
/*
--
2.19.1
next prev parent reply other threads:[~2019-02-13 2:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-13 2:39 [PATCH AUTOSEL 4.14 01/34] mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 02/34] pvcalls-back: set -ENOTCONN in pvcalls_conn_back_read Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 03/34] mfd: twl-core: Fix section annotations on {,un}protect_pm_master Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 04/34] mfd: db8500-prcmu: Fix some section annotations Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 05/34] mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 06/34] mfd: ab8500-core: Return zero in get_register_interruptible() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 07/34] mfd: bd9571mwv: Add volatile register to make DVFS work Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 08/34] mfd: qcom_rpm: write fw_version to CTRL_REG Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 09/34] mfd: wm5110: Add missing ASRC rate register Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 10/34] mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 11/34] mfd: mc13xxx: Fix a missing check of a register-read failure Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 12/34] xen/pvcalls: remove set but not used variable 'intf' Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 13/34] qed: Fix qed_chain_set_prod() for PBL chains with non power of 2 page count Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 14/34] qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 15/34] net: hns: Fix use after free identified by SLUB debug Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 16/34] MIPS: ath79: Enable OF serial ports in the default config Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 17/34] netfilter: nf_tables: fix leaking object reference count Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 18/34] scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 19/34] scsi: isci: initialize shost fully before calling scsi_add_host() Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 20/34] MIPS: jazz: fix 64bit build Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 21/34] bpf: correctly set initial window on active Fast Open sender Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 22/34] net: stmmac: Fix PCI module removal leak Sasha Levin
2019-02-13 2:39 ` Sasha Levin [this message]
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 24/34] scsi: ufs: Fix system suspend status Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 25/34] scsi: qedi: Add ep_state for login completion on un-reachable targets Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 26/34] always clear the X2APIC_ENABLE bit for PV guest Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 27/34] drm/meson: add missing of_node_put Sasha Levin
2019-02-13 2:39 ` Sasha Levin
2019-02-13 2:39 ` Sasha Levin via dri-devel
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 28/34] atm: he: fix sign-extension overflow on large shift Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 29/34] hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 30/34] leds: lp5523: fix a missing check of return value of lp55xx_read Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 31/34] bpf: bpf_setsockopt: reset sock dst on SO_MARK changes Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 32/34] mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 33/34] net/mlx5e: Fix wrong (zero) TX drop counter indication for representor Sasha Levin
2019-02-13 2:39 ` [PATCH AUTOSEL 4.14 34/34] isdn: avm: Fix string plus integer warning from Clang Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190213023952.21311-23-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=baijiaju1990@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.