linux-sg2042/drivers/isdn/i4l
Jia-Ju Bai 2ff33d6637 isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-11 17:56:47 -08:00
..
Kconfig isdn: i4l: move active-isdn drivers to staging 2016-03-05 15:00:38 -08:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
isdn_audio.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
isdn_audio.h
isdn_bsdcomp.c treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
isdn_common.c isdn: Disable IIOCDBGVAR 2018-08-16 12:26:24 -07:00
isdn_common.h TTY: switch tty_insert_flip_string 2013-01-15 22:22:35 -08:00
isdn_concap.c isdn: use designated initializers 2016-12-17 11:56:57 -05:00
isdn_concap.h isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_net.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
isdn_net.h isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_ppp.c vfs: do bulk POLL* -> EPOLL* replacement 2018-02-11 14:34:03 -08:00
isdn_ppp.h the rest of drivers/*: annotate ->poll() instances 2017-11-28 11:06:58 -05:00
isdn_tty.c isdn: i4l: isdn_tty: Fix some concurrency double-free bugs 2019-01-11 17:56:47 -08:00
isdn_tty.h isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_ttyfax.c isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_ttyfax.h isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_v110.c isdn: mark expected switch fall-throughs 2018-07-04 22:17:32 +09:00
isdn_v110.h isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00
isdn_x25iface.c networking: add and use skb_put_u8() 2017-06-16 11:48:40 -04:00
isdn_x25iface.h wanrouter: completely decouple obsolete code from kernel. 2013-01-31 19:20:33 -05:00
isdnhdlc.c isdn: whitespace coding style cleanup 2012-02-21 09:04:01 -08:00