• Jia-Ju Bai's avatar
    isdn: i4l: isdn_tty: Fix some concurrency double-free bugs · 2ff33d66
    Jia-Ju Bai authored
    The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
    concurrently executed.
    
    isdn_tty_tiocmset
      isdn_tty_modem_hup
        line 719: kfree(info->dtmf_state);
        line 721: kfree(info->silence_state);
        line 723: kfree(info->adpcms);
        line 725: kfree(info->adpcmr);
    
    isdn_tty_set_termios
      isdn_tty_modem_hup
        line 719: kfree(info->dtmf_state);
        line 721: kfree(info->silence_state);
        line 723: kfree(info->adpcms);
        line 725: kfree(info->adpcmr);
    
    Thus, some concurrency double-free bugs may occur.
    
    These possible bugs are found by a static tool written by myself and
    my manual code review.
    
    To fix these possible bugs, the mutex lock "modem_info_mutex" used in
    isdn_tty_tiocmset() is added in isdn_tty_set_termios().
    Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2ff33d66
Name
Last commit
Last update
..
Kconfig Loading commit data...
Makefile Loading commit data...
isdn_audio.c Loading commit data...
isdn_audio.h Loading commit data...
isdn_bsdcomp.c Loading commit data...
isdn_common.c Loading commit data...
isdn_common.h Loading commit data...
isdn_concap.c Loading commit data...
isdn_concap.h Loading commit data...
isdn_net.c Loading commit data...
isdn_net.h Loading commit data...
isdn_ppp.c Loading commit data...
isdn_ppp.h Loading commit data...
isdn_tty.c Loading commit data...
isdn_tty.h Loading commit data...
isdn_ttyfax.c Loading commit data...
isdn_ttyfax.h Loading commit data...
isdn_v110.c Loading commit data...
isdn_v110.h Loading commit data...
isdn_x25iface.c Loading commit data...
isdn_x25iface.h Loading commit data...
isdnhdlc.c Loading commit data...