Re: [PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()

From: David Miller
Date: Sat Dec 29 2018 - 00:27:54 EST

Next message: David Miller: "Re: [PATCH v2] net: arcnet: Fix a possible concurrency use-after-free bug in arcnet_reply_tasklet()"
Previous message: Darrick J. Wong: "Re: [PATCH 00/20] drop useless LIST_HEAD"
In reply to: Jia-Ju Bai: "[PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>
Date: Wed, 26 Dec 2018 22:09:34 +0800

> In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and
> HFCPCI_l1hw() may be concurrently executed.
>
> HFCPCI_l1hw()
> line 1173: if (!cs->tx_skb)
>
> hfcpci_interrupt()
> line 942: spin_lock_irqsave();
> line 1066: dev_kfree_skb_irq(cs->tx_skb);
>
> Thus, a possible concurrency use-after-free bug may occur
> in HFCPCI_l1hw().
>
> To fix these bugs, the calls to spin_lock_irqsave() and
> spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
> access to cs->tx_skb.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@xxxxxxxxx>

Applied.

Next message: David Miller: "Re: [PATCH v2] net: arcnet: Fix a possible concurrency use-after-free bug in arcnet_reply_tasklet()"
Previous message: Darrick J. Wong: "Re: [PATCH 00/20] drop useless LIST_HEAD"
In reply to: Jia-Ju Bai: "[PATCH] isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]