diff options
| author | Jia-Ju Bai <baijiaju1990@gmail.com> | 2019-01-08 21:04:48 +0800 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-01-11 17:56:47 -0800 |
| commit | 2ff33d6637393fe9348357285931811b76e1402f (patch) | |
| tree | f6090d0aa33f29b60ad0460e63e9916c7a0997a2 /kernel | |
| parent | 7fbe078c37aba3088359c9256c1a1d0c3e39ee81 (diff) | |
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.
isdn_tty_tiocmset
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
isdn_tty_set_termios
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
Thus, some concurrency double-free bugs may occur.
These possible bugs are found by a static tool written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel')
0 files changed, 0 insertions, 0 deletions