• Alexander Popov's avatar
    tty: n_hdlc: get rid of racy n_hdlc.tbuf · 82f2341c
    Alexander Popov authored
    Currently N_HDLC line discipline uses a self-made singly linked list for
    data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
    an error.
    
    The commit be10eb75
    ("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
    After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
    one data buffer to tx_free_buf_list twice. That causes double free in
    n_hdlc_release().
    
    Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
    in case of tx error put current data buffer after the head of tx_buf_list.
    Signed-off-by: default avatarAlexander Popov <alex.popov@linux.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    82f2341c
n_hdlc.c 27.2 KB