Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()

From: Greg KH
Date: Mon Jan 07 2019 - 03:57:29 EST

Next message: Michael Ellerman: "Re: [PATCH] vfio_pci: Add local source directory as include"
Previous message: Daniel Lezcano: "Re: [PATCH v2 1/4] dt-bindings: Correct RISC-V's timebase-frequency"
In reply to: Greg KH: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Next in thread: Jia-Ju Bai: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 07, 2019 at 04:12:22PM +0800, Jia-Ju Bai wrote:
> In drivers/char/pcmcia/synclink_cs.c, the functions mgslpc_open() and hdlcdev_open() can be concurrently executed.
>
> hdlcdev_open
> startup
> claim_resources
> rx_alloc_buffers
> line 2641: kfree(info->rx_buf)
>
> mgslpc_open
> startup
> claim_resources
> rx_alloc_buffers
> line 2641: kfree(info->rx_buf)
>
> Thus, a possible concurrency double-free bug may occur.

Wait, are you sure those really are the same structure, and that those
two functions can be called at the same time? That is a tty and a
network device, are they both created at the same time or does opening
one create the other?

It's not obvious in looking at the code if this really is the same
structure or not, how did your tool figure it out?

thanks,

greg k-h

Next message: Michael Ellerman: "Re: [PATCH] vfio_pci: Add local source directory as include"
Previous message: Daniel Lezcano: "Re: [PATCH v2 1/4] dt-bindings: Correct RISC-V's timebase-frequency"
In reply to: Greg KH: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Next in thread: Jia-Ju Bai: "Re: [BUG] char: pcmcia: a possible concurrency double-free bug in rx_alloc_buffers()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]