Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4741563imu;
        Tue, 8 Jan 2019 05:37:26 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6mVVcz08gPegdUjd06d5GwgFRd2NG4qWiGQ2kVm+GJMgI8Fp/BblVbi0AYtjU5ICE17hCf
X-Received: by 2002:a62:1f53:: with SMTP id f80mr1796695pff.92.1546954646212;
        Tue, 08 Jan 2019 05:37:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546954646; cv=none;
        d=google.com; s=arc-20160816;
        b=DFs2gYvFV0NLxQwjzY1xSWURswlOTihlCplainxhGA7ahaP1/1XKYRgowwjUm09V4z
         M6Pb2SOTM0PveMBHdObgdzG9cNm2YpfLqwhjteofABaaFII+1LuM74+4ZWDB4CnwmFIc
         4yWQ/FoOfTBnGkHRsTPCp7XppKWu2d5k447xsViY1h4vY/YjEeLJyG3Ly6QQoPnX44Mx
         gJG0o6SyBm+HB0QI8Othpbt6+uD8GBiscLjIUjW2yxjFrp+XT4pbOFh4gSMJtns+kj73
         ksKyvrGZ46Trx/e/fHmNSkn5RHB6xGTD/IkrRdqQNfGeDCyc5uM/NnHgRjtOb9cR+/Xe
         Biuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=PxXkslBAlSJzljYoz5a9XaC/5ylc7ABn3sw1j74NO/w=;
        b=E5mIysDxMxbxErwQmw+9AbMlIy1pVxCvqSsuIThXARdofmQkPEB2zOx35VjKdegodI
         uFTZV8yMMVDqiYD+QeJsc6QE/OO3E05P3WRi8vvfWNM56puk1gsA4/AKmF7UBW2gda+f
         /Gvjzl/W/1bO0tSz2hIzIrVGMt1SYSUxPcXWiP2natgnsFpMiKcYFRCWsGXJPl68cXj4
         fferAgQl+/VqX0QTCEwkoVwsWJW+LaOaoQGRnpzWr0R2dkkiTqAS5gxQeZz0zyK3Yj+O
         C8+F0td2yQJEx3pVmxwcUhzII9QsO0NYD6WMAfF0M3PF6pnrOL8JSXLSPjJ302FuXI+1
         Xa7Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=hNLPwfjj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m3si11067518plt.394.2019.01.08.05.37.11;
        Tue, 08 Jan 2019 05:37:26 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=hNLPwfjj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728172AbfAHNFI (ORCPT <rfc822;parkch98@gmail.com> + 99 others);
        Tue, 8 Jan 2019 08:05:08 -0500
Received: from mail-pg1-f195.google.com ([209.85.215.195]:36888 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727473AbfAHNFI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Jan 2019 08:05:08 -0500
Received: by mail-pg1-f195.google.com with SMTP id c25so1723777pgb.4;
        Tue, 08 Jan 2019 05:05:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=PxXkslBAlSJzljYoz5a9XaC/5ylc7ABn3sw1j74NO/w=;
        b=hNLPwfjjeJc7N7ii8wHPmq2rB+7ctOa30BRtL91KeMN4wP2Ph2HlBsHzC5pKAJLdL2
         q1eBKQ92XBr9rwBkmsyp55UMZCWefxIx429aIzs7OheTnWqVkuydQSWBI7CY0YxlgaOB
         TRP6nxuLS6/B+eNL1PntPxZYLNjNw/5jZCkoIauQJFQEzF2SUW0PNCI0Wl1KiuKrInGe
         J1aBY72abjbrk3Hx4g5mL5gzjvQG2C2Mvs6pK+2v9tH5TpTHw0xNxnOHtA2QqtKbBR4a
         FbgYji6DqPWsmycefzfVjkquuN+MfAS/UAeVpPucFfoDk7dE9KyaKP08NMtjIJLNTtTH
         irSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=PxXkslBAlSJzljYoz5a9XaC/5ylc7ABn3sw1j74NO/w=;
        b=ocVaCfvMypfCZ3zs7cw94vq8fscnAupJfYTYUL0OpgWInQlDUveygMhC0kUE7eqrTV
         d59ZCY9IXG5qQyPWeR0/UcqjJ4iaiBwIytEMg5mwwqWB32dxI36M0u0fsL2Udc8SnUV/
         UfZIvkj+sFKBuQjgKEw8enPJkr49KGPV6S00AEm3lASQz60A1ykmeAPn42Eg+UqzYmCr
         WqPX/MNMc/z3g/Ub/tVuosia/G2cOoDrNNcks90Xfomuh2zNoXfa3cFy9eIQbXnuj/IU
         ZoMXmDLntZT0Jhw4Iq/HEEa7aVQ4dZ+iywEU31vigswTANpzbdEpgT/uFSn/a/GCgRCj
         VlkQ==
X-Gm-Message-State: AJcUukeW9GO9Nbz7fe7QI+h9YBoDb3GWzIr5mDcoJm/P9zjD+VZH9J4f
        3wUdUtiBQxzF1jSS/QvKYWE=
X-Received: by 2002:a62:442:: with SMTP id 63mr1645432pfe.156.1546952707326;
        Tue, 08 Jan 2019 05:05:07 -0800 (PST)
Received: from localhost.localdomain ([2402:f000:1:4414:811b:a348:3027:e3a0])
        by smtp.gmail.com with ESMTPSA id s190sm101281486pfb.103.2019.01.08.05.05.04
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 08 Jan 2019 05:05:06 -0800 (PST)
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
To:     isdn@linux-pingi.de, viro@zeniv.linux.org.uk, davem@davemloft.net,
        linux@roeck-us.net
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
Date:   Tue,  8 Jan 2019 21:04:48 +0800
Message-Id: <20190108130448.22102-1-baijiaju1990@gmail.com>
X-Mailer: git-send-email 2.17.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be
concurrently executed.

isdn_tty_tiocmset
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

isdn_tty_set_termios
  isdn_tty_modem_hup
    line 719: kfree(info->dtmf_state);
    line 721: kfree(info->silence_state);
    line 723: kfree(info->adpcms);
    line 725: kfree(info->adpcmr);

Thus, some concurrency double-free bugs may occur.

These possible bugs are found by a static tool written by myself and 
my manual code review.

To fix these possible bugs, the mutex lock "modem_info_mutex" used in
isdn_tty_tiocmset() is added in isdn_tty_set_termios().

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 drivers/isdn/i4l/isdn_tty.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
index 1b2239c1d569..dc1cded716c1 100644
--- a/drivers/isdn/i4l/isdn_tty.c
+++ b/drivers/isdn/i4l/isdn_tty.c
@@ -1437,15 +1437,19 @@ isdn_tty_set_termios(struct tty_struct *tty, struct ktermios *old_termios)
 {
 	modem_info *info = (modem_info *) tty->driver_data;
 
+	mutex_lock(&modem_info_mutex);
 	if (!old_termios)
 		isdn_tty_change_speed(info);
 	else {
 		if (tty->termios.c_cflag == old_termios->c_cflag &&
 		    tty->termios.c_ispeed == old_termios->c_ispeed &&
-		    tty->termios.c_ospeed == old_termios->c_ospeed)
+		    tty->termios.c_ospeed == old_termios->c_ospeed) {
+			mutex_unlock(&modem_info_mutex);
 			return;
+		}
 		isdn_tty_change_speed(info);
 	}
+	mutex_unlock(&modem_info_mutex);
 }
 
 /*
-- 
2.17.0