Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3340219imu;
        Mon, 7 Jan 2019 01:19:38 -0800 (PST)
X-Google-Smtp-Source: ALg8bN5JKqcjQNz4V9c+F01hbMGNZCVVjvpGrHtxj0eAtyd+udJz+sWJymeaIrmEUnLN1fA9reMu
X-Received: by 2002:a63:6bc1:: with SMTP id g184mr29997721pgc.25.1546852778496;
        Mon, 07 Jan 2019 01:19:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546852778; cv=none;
        d=google.com; s=arc-20160816;
        b=e3eJ7SexWRgbDVK1X96dE1hqryz3ICxv90z4V8+WbuApFn0eG83vnHWMHEf8MY35py
         XXUuoW3McxHRsS4FZztED+xqbUJ4sw6vvhIq2w44dwDUJDrYxefjMeO0aUDIj98Wc7cc
         Zp9o6HqGR46nXOkD8eSxzuSj1xO69XaZUu2aV/3uJOAp82QDn0ZIIXrG+oMfeHLQd0Az
         L5wJEJm8fqiCFxeXXkrDtXdbZi+bYzyjEn9HxU/8XpYaBJvtRqUNl8CMYBwpRfbM7WLB
         nIuCB5sI5pXc6oUD5g3TCyOhox48RBxkT9JVV912haawLtZkIThseUB4SgvSUPO6xaI3
         wBdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=KrpiqWjdbUa7rxvpqUHJVCsxvqxm6oLRP/ja0IRakdU=;
        b=otnqs0wsnOP08EQN6dKZU9mpfDSmkQekQUBfXNp2acLEFDb5cXWHO2SPISwr/plzYo
         ewETYP4ojJKGRRCovhX6Gg019wNVIqnT6+sKm/M3RMIpNw+J+PbFGsUNGLajD6zgVSQo
         sqVGb7cot9I32g8tJAXy5vUiwXeIl8++t9D+XVi+Q8C9vANMrkD12Cbga8smvwP1remZ
         SbYBguA7MFEjgGfZ1quPHHzMI6kz8aorHC5u9CQWqYSXLrjf7pUiF58IIQ16GScbWISz
         2oB4QYlBzzmv7rXQdfQSRq9h8hVBOb0tcbUToIt4IYo8vBS1MzP5JOoaDRzNKPzdKXLw
         zsbw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="h/9DTQJt";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j10si34557045pgt.155.2019.01.07.01.19.22;
        Mon, 07 Jan 2019 01:19:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="h/9DTQJt";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726687AbfAGI51 (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Mon, 7 Jan 2019 03:57:27 -0500
Received: from mail.kernel.org ([198.145.29.99]:54538 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726273AbfAGI51 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 7 Jan 2019 03:57:27 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3D01920859;
        Mon,  7 Jan 2019 08:57:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1546851446;
        bh=a8jI/7DPKQ+84x2M3G/D+yAbXKIRJN/wZM68rPVPNrM=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=h/9DTQJt12/8noMhXzo6+ahJ3y9UqD1bOm0ILqTcKwajd+5oglMec3uymWKX057fu
         4f2Jy+dN4qNHFPahVN5Rhsm3qqJB9ePaKy7gMw9PCYYowgSFpNRNVy8ks9OsQ+ZXqM
         NGsj7Ibt4GkSgWXo9WyHtXZ8euvg/YOmHpL8Ae2o=
Date:   Mon, 7 Jan 2019 09:57:24 +0100
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Jia-Ju Bai <baijiaju1990@gmail.com>
Cc:     arnd@arndb.de, viro@zeniv.linux.org.uk,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [BUG] char: pcmcia: a possible concurrency double-free bug in
 rx_alloc_buffers()
Message-ID: <20190107085724.GC26384@kroah.com>
References: <76309f04-b1e1-11d3-b77f-962bf50c5be2@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <76309f04-b1e1-11d3-b77f-962bf50c5be2@gmail.com>
User-Agent: Mutt/1.11.1 (2018-12-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
> In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and hdlcdev_open() can be concurrently executed.
> 
> hdlcdev_open
>   startup
>     claim_resources
>       rx_alloc_buffers
>         line 2641: kfree(info->rx_buf)
> 
> mgslpc_open
>   startup
>     claim_resources
>       rx_alloc_buffers
>         line 2641: kfree(info->rx_buf)
> 
> Thus, a possible concurrency double-free bug may occur.

Wait, are you sure those really are the same structure, and that those
two functions can be called at the same time?  That is a tty and a
network device, are they both created at the same time or does opening
one create the other?

It's not obvious in looking at the code if this really is the same
structure or not, how did your tool figure it out?

thanks,

greg k-h