2ff33d6637
The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.
isdn_tty_tiocmset
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
isdn_tty_set_termios
isdn_tty_modem_hup
line 719: kfree(info->dtmf_state);
line 721: kfree(info->silence_state);
line 723: kfree(info->adpcms);
line 725: kfree(info->adpcmr);
Thus, some concurrency double-free bugs may occur.
These possible bugs are found by a static tool written by myself and
my manual code review.
To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|---|---|---|
| .. | ||
| isdn_audio.c | ||
| isdn_audio.h | ||
| isdn_bsdcomp.c | ||
| isdn_common.c | ||
| isdn_common.h | ||
| isdn_concap.c | ||
| isdn_concap.h | ||
| isdn_net.c | ||
| isdn_net.h | ||
| isdn_ppp.c | ||
| isdn_ppp.h | ||
| isdn_tty.c | ||
| isdn_tty.h | ||
| isdn_ttyfax.c | ||
| isdn_ttyfax.h | ||
| isdn_v110.c | ||
| isdn_v110.h | ||
| isdn_x25iface.c | ||
| isdn_x25iface.h | ||
| isdnhdlc.c | ||
| Kconfig | ||
| Makefile | ||