• Jia-Ju Bai's avatar
    isdn: i4l: isdn_tty: Fix some concurrency double-free bugs · 2ff33d66
    Jia-Ju Bai authored
    The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
    concurrently executed.
    
    isdn_tty_tiocmset
      isdn_tty_modem_hup
        line 719: kfree(info->dtmf_state);
        line 721: kfree(info->silence_state);
        line 723: kfree(info->adpcms);
        line 725: kfree(info->adpcmr);
    
    isdn_tty_set_termios
      isdn_tty_modem_hup
        line 719: kfree(info->dtmf_state);
        line 721: kfree(info->silence_state);
        line 723: kfree(info->adpcms);
        line 725: kfree(info->adpcmr);
    
    Thus, some concurrency double-free bugs may occur.
    
    These possible bugs are found by a static tool written by myself and
    my manual code review.
    
    To fix these possible bugs, the mutex lock "modem_info_mutex" used in
    isdn_tty_tiocmset() is added in isdn_tty_set_termios().
    Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2ff33d66
isdn_tty.c 88.4 KB