From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AE29C43387 for ; Mon, 7 Jan 2019 08:57:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5F00B2085A for ; Mon, 7 Jan 2019 08:57:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546851448; bh=a8jI/7DPKQ+84x2M3G/D+yAbXKIRJN/wZM68rPVPNrM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=IWdi7fwOG/zWWbSch6VbHz1AUzyi8TgSlZ0xw/47qKgWp0eVrViI8cmG4mG0wDDbn Vo3w2ariRmZe+/o4dCSO6YX++GKtbEcbgQbSSMb32Yvw5IL9Uku+e5gVz4P+/32E0V 6i5I2oZOGKvYVXFr1zb/1EUlO2G7fbn0paw21TH8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726701AbfAGI51 (ORCPT ); Mon, 7 Jan 2019 03:57:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:54538 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726273AbfAGI51 (ORCPT ); Mon, 7 Jan 2019 03:57:27 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3D01920859; Mon, 7 Jan 2019 08:57:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546851446; bh=a8jI/7DPKQ+84x2M3G/D+yAbXKIRJN/wZM68rPVPNrM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=h/9DTQJt12/8noMhXzo6+ahJ3y9UqD1bOm0ILqTcKwajd+5oglMec3uymWKX057fu 4f2Jy+dN4qNHFPahVN5Rhsm3qqJB9ePaKy7gMw9PCYYowgSFpNRNVy8ks9OsQ+ZXqM NGsj7Ibt4GkSgWXo9WyHtXZ8euvg/YOmHpL8Ae2o= Date: Mon, 7 Jan 2019 09:57:24 +0100 From: Greg KH To: Jia-Ju Bai Cc: arnd@arndb.de, viro@zeniv.linux.org.uk, Linux Kernel Mailing List Subject: Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers() Message-ID: <20190107085724.GC26384@kroah.com> References: <76309f04-b1e1-11d3-b77f-962bf50c5be2@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <76309f04-b1e1-11d3-b77f-962bf50c5be2@gmail.com> User-Agent: Mutt/1.11.1 (2018-12-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote: > In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and hdlcdev_open() can be concurrently executed. > > hdlcdev_open > startup > claim_resources > rx_alloc_buffers > line 2641: kfree(info->rx_buf) > > mgslpc_open > startup > claim_resources > rx_alloc_buffers > line 2641: kfree(info->rx_buf) > > Thus, a possible concurrency double-free bug may occur. Wait, are you sure those really are the same structure, and that those two functions can be called at the same time? That is a tty and a network device, are they both created at the same time or does opening one create the other? It's not obvious in looking at the code if this really is the same structure or not, how did your tool figure it out? thanks, greg k-h