Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5750314imu; Wed, 26 Dec 2018 08:17:14 -0800 (PST) X-Google-Smtp-Source: AFSGD/WoFLKKMA08H8SN6AhZo7kJovg+Yah4lKeRkQB9TXzTH+SpXFUbHZBUw/al7QuMpcmNnKuh X-Received: by 2002:a62:16d6:: with SMTP id 205mr20663750pfw.256.1545841034169; Wed, 26 Dec 2018 08:17:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545841034; cv=none; d=google.com; s=arc-20160816; b=vAqhVQ+n9VLTXYylD7yQjvW4aKdudrr9M5zfFw/D/HNySp+6iUEkKvaN+sIqxMF91L 79ui+ivAc+YMkDjB+kBqx1BroTb9oDr0Rk3+tOGZSPQRp2MlPzvzvunZ284LRyv3Ali6 DG10LOVwRrweVf4iExc2UjutIsbKmZpFTC9MJjlIYCGEZfD8vMfdDl29YYtSJfBtc8TV tMPTb/rkEGEA9e+LwjRCnzAbd7d+r6Da8Hu5hFkP5Ue8d3hcZlkNg5lPUDkdKeNH64o2 jrAAWgmFNizpuD5rI6X/KDcTzjhS4MuLtLh+uJo3/D/kZPCe7EuRwj2IXOoU6zFE/6q4 Pnaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=y85zGKOTx0Tqi7DozW6mORIo44USvHnVcVjSBJz/9Ww=; b=OGsFRP32AnRsyeQ1rgDSMPIi81VjMbDBJCyGt9DqFU2DKOqSmqkwoO7RZ15Z1bU6Yg wflBDNG9rfmgPXA9JITPwf8IhpeLb4vB8ETCgqsrSeJXJZnOCVjElT7dCOLcklEU0jA2 nwQ8uPXGnqQtQ8WswJL45A/z6QTZWwFnX88ceT1Mf7HPKCZ8AB3uY+4Wm65nCYQ5+jZt 9UINP01g05JlbUqDqpAc/KzUjbOPqN+DZUc8j2UYsjG776CH4nOfMEoWkY1h58BIYY5N EnxTCRb7z9VLFgtjvYGZhGXAuS6rUHFuDcVXMLota/VIxNfixVo6l81eC6PCzAxSr0uN Tv2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dLkVpqGn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20si33157838plj.94.2018.12.26.08.16.47; Wed, 26 Dec 2018 08:17:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=dLkVpqGn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727057AbeLZOJm (ORCPT + 99 others); Wed, 26 Dec 2018 09:09:42 -0500 Received: from mail-pg1-f194.google.com ([209.85.215.194]:36189 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726666AbeLZOJl (ORCPT ); Wed, 26 Dec 2018 09:09:41 -0500 Received: by mail-pg1-f194.google.com with SMTP id n2so7628298pgm.3; Wed, 26 Dec 2018 06:09:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=y85zGKOTx0Tqi7DozW6mORIo44USvHnVcVjSBJz/9Ww=; b=dLkVpqGnn0EOalMXMfrFtZRy7AfkZXQ1NElkvDzvyGNqnbzX1uX25sGNUTaCdyeVoJ BMy7ORPMQaMNv/lpr76AbmbOz3rZVNi8hd/W6UY91kFmmqzJg2gcEWlR0f94b+VVG8Jh niruZHsdzJtWo7oGzI1IQjHFeep8SITMYYMupLHOzA/2hc8LiE34T5dAVQpnBONyTywv BKMIvFtPry3X0gIvxTkOVHc3eGwoFAfIqXY/ibvSv7SAUUWqDgwdTe/xPT9UfjRWUwiI MtElMfCzZs2TYeO5rA6FYKzGgOIfRuLmZgsXBN0vM0nEFfl/queT6fOWlTa1+A+Dg2MN eTjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=y85zGKOTx0Tqi7DozW6mORIo44USvHnVcVjSBJz/9Ww=; b=AUCCzjTR6KlwlZ8qd5838GDSmkW6Rw3DWt7pRpIigsKTdkJtzyzS7q3F/XFTddW7M4 HQqr482CD8+KuJ5G2eTg/i9gPkgc/x5lcIkmiMO4GPuQH09Rgd3/rlKWOrkhK8aoteX+ PJiY5GMZb762MAJ5w12DmQgdtS1N9b8ZCXiH6J17sw02EYUpxlgv0eHGq9J3v1dabAtU S5go4RTRD0iL9xm66kjpi6bNgf881W640c2aZ3nZKn9+RuJDl5U1a7g/tJBQkWTIcyDo PoS5T6WncErcXGMOGduNhGmUITKs1Zr2c77rumFEthdOrRElKkqfqiwIXlzZfQndnaHk nzjQ== X-Gm-Message-State: AJcUukc+DeHWTMOOnFoK0elMRSDwAm1BdaEiPGlgtl5UHFUr4RbdxMjc anIP3upC/u2h3IR256DZi7izG2dS X-Received: by 2002:a62:9f1b:: with SMTP id g27mr3994348pfe.87.1545833381191; Wed, 26 Dec 2018 06:09:41 -0800 (PST) Received: from localhost.localdomain ([2402:f000:1:4414:a8df:74f3:1213:8d3d]) by smtp.gmail.com with ESMTPSA id u8sm52661093pfl.16.2018.12.26.06.09.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Dec 2018 06:09:40 -0800 (PST) From: Jia-Ju Bai To: isdn@linux-pingi.de, davem@davemloft.net, natechancellor@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() Date: Wed, 26 Dec 2018 22:09:34 +0800 Message-Id: <20181226140934.12903-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and HFCPCI_l1hw() may be concurrently executed. HFCPCI_l1hw() line 1173: if (!cs->tx_skb) hfcpci_interrupt() line 942: spin_lock_irqsave(); line 1066: dev_kfree_skb_irq(cs->tx_skb); Thus, a possible concurrency use-after-free bug may occur in HFCPCI_l1hw(). To fix these bugs, the calls to spin_lock_irqsave() and spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the access to cs->tx_skb. Signed-off-by: Jia-Ju Bai --- drivers/isdn/hisax/hfc_pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c index ea0e4c6de3fb..0109e0e8bcb6 100644 --- a/drivers/isdn/hisax/hfc_pci.c +++ b/drivers/isdn/hisax/hfc_pci.c @@ -1170,11 +1170,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg) if (cs->debug & L1_DEB_LAPD) debugl1(cs, "-> PH_REQUEST_PULL"); #endif + spin_lock_irqsave(&cs->lock, flags); if (!cs->tx_skb) { test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags); st->l1.l1l2(st, PH_PULL | CONFIRM, NULL); } else test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags); + spin_unlock_irqrestore(&cs->lock, flags); break; case (HW_RESET | REQUEST): spin_lock_irqsave(&cs->lock, flags); -- 2.17.0