Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()

From: Greg KH
Date: Mon Jan 07 2019 - 03:53:42 EST

Next message: Mateusz StÄpieÅ: "Re: PROBLEM: Old content of /proc/net after switching network namespace"
Previous message: Cao jin: "Re: [PATCH] x86/boot: drop memset from copy.S"
Next in thread: Greg KH: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
> In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and hdlcdev_open() can be concurrently executed.
>
> hdlcdev_open
> startup
> claim_resources
> rx_alloc_buffers
> line 2641: kfree(info->rx_buf)
>
> mgslpc_open
> startup
> claim_resources
> rx_alloc_buffers
> line 2641: kfree(info->rx_buf)
>
> Thus, a possible concurrency double-free bug may occur.
>
> This possible bug is found by a static analysis tool written by myself and my manual code review.

Care to send a patch to fix up this potential issue?

thanks,

greg k-h

Next message: Mateusz StÄpieÅ: "Re: PROBLEM: Old content of /proc/net after switching network namespace"
Previous message: Cao jin: "Re: [PATCH] x86/boot: drop memset from copy.S"
Next in thread: Greg KH: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]