git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Jia-Ju Bai <baijiaju1990@gmail.com>
	Tue, 8 Jan 2019 13:04:48 +0000 (21:04 +0800)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Wed, 14 Aug 2019 09:18:49 +0000 (11:18 +0200)
commit	f2d390d2ca0615fe1dc97edfeb1ea187cbc16815
tree	9207da6b886a2b6242272a91c7268b4c0d90cf9c	tree
parent	9accb3ccd410881cbaac86592815e6ab1b74737a	commit \| diff

isdn: i4l: isdn_tty: Fix some concurrency double-free bugs

BugLink: https://bugs.launchpad.net/bugs/1837813
[ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ]

The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>