Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit f654326f authored by Alexander Popov's avatar Alexander Popov Committed by Zvikomborero Vincent Zvikaramba
Browse files

tty: n_hdlc: get rid of racy n_hdlc.tbuf 



Currently N_HDLC line discipline uses a self-made singly linked list for
data buffers and has n_hdlc.tbuf pointer for buffer retransmitting after
an error.

The commit be10eb75
("tty: n_hdlc add buffer flushing") introduced racy access to n_hdlc.tbuf.
After tx error concurrent flush_tx_queue() and n_hdlc_send_frames() can put
one data buffer to tx_free_buf_list twice. That causes double free in
n_hdlc_release().

Let's use standard kernel linked list and get rid of n_hdlc.tbuf:
in case of tx error put current data buffer after the head of tx_buf_list.

Signed-off-by: default avatarAlexander Popov <alex.popov@linux.com>

CVE-2017-2636

Change-Id: I057e763865c4dec5b1daf1ddde285927dd9803fb
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
parent 9a978da1
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment