www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Alexander Popov <alex.popov@linux.com>
	Tue, 28 Feb 2017 16:54:40 +0000 (19:54 +0300)
committer	Dhaval Giani <dhaval.giani@oracle.com>
	Mon, 29 May 2017 21:24:37 +0000 (17:24 -0400)
commit	ae5edcd90a279c19ed1ca7338f9fb2b7bbca30da
tree	8d58c5d5a32118fb021c0126161c061a4fcc0d1c	tree
parent	83b7e17e87b5300eef7ec4196f1e46bb0446267b	commit \| diff

tty: n_hdlc: get rid of racy n_hdlc.tbuf

Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.

The commit be10eb7589337e5defbe214dae038a53dd21add8
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().

Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.

Signed-off-by: Alexander Popov <alex.popov@linux.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Orabug: 25802678
CVE: CVE-2017-2636
(cherry picked from commit 82f2341c94d270421f383641b7cd670e474db56b)
Signed-off-by: Todd Vierling <todd.vierling@oracle.com>