提交 b8324f94 编写于 作者: T Tilman Schmidt 提交者: David S. Miller

isdn/gigaset: fix non-heap pointer deallocation

at_state structures may be allocated individually or as part of a
cardstate or bc_state structure. The disconnect() function handled
both cases, creating a risk that it might try to deallocate an
at_state structure that had not been allocated individually.
Fix by splitting disconnect() into two variants handling cases
with and without an associated B channel separately, and adding
an explicit check.

Spotted with Coverity.
Signed-off-by: NTilman Schmidt <tilman@imap.cc>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 846ac301
...@@ -604,14 +604,14 @@ void gigaset_handle_modem_response(struct cardstate *cs) ...@@ -604,14 +604,14 @@ void gigaset_handle_modem_response(struct cardstate *cs)
} }
EXPORT_SYMBOL_GPL(gigaset_handle_modem_response); EXPORT_SYMBOL_GPL(gigaset_handle_modem_response);
/* disconnect /* disconnect_nobc
* process closing of connection associated with given AT state structure * process closing of connection associated with given AT state structure
* without B channel
*/ */
static void disconnect(struct at_state_t **at_state_p) static void disconnect_nobc(struct at_state_t **at_state_p,
struct cardstate *cs)
{ {
unsigned long flags; unsigned long flags;
struct bc_state *bcs = (*at_state_p)->bcs;
struct cardstate *cs = (*at_state_p)->cs;
spin_lock_irqsave(&cs->lock, flags); spin_lock_irqsave(&cs->lock, flags);
++(*at_state_p)->seq_index; ++(*at_state_p)->seq_index;
...@@ -622,23 +622,44 @@ static void disconnect(struct at_state_t **at_state_p) ...@@ -622,23 +622,44 @@ static void disconnect(struct at_state_t **at_state_p)
gig_dbg(DEBUG_EVENT, "Scheduling PC_UMMODE"); gig_dbg(DEBUG_EVENT, "Scheduling PC_UMMODE");
cs->commands_pending = 1; cs->commands_pending = 1;
} }
spin_unlock_irqrestore(&cs->lock, flags);
if (bcs) { /* check for and deallocate temporary AT state */
/* B channel assigned: invoke hardware specific handler */ if (!list_empty(&(*at_state_p)->list)) {
cs->ops->close_bchannel(bcs);
/* notify LL */
if (bcs->chstate & (CHS_D_UP | CHS_NOTIFY_LL)) {
bcs->chstate &= ~(CHS_D_UP | CHS_NOTIFY_LL);
gigaset_isdn_hupD(bcs);
}
} else {
/* no B channel assigned: just deallocate */
spin_lock_irqsave(&cs->lock, flags);
list_del(&(*at_state_p)->list); list_del(&(*at_state_p)->list);
kfree(*at_state_p); kfree(*at_state_p);
*at_state_p = NULL; *at_state_p = NULL;
spin_unlock_irqrestore(&cs->lock, flags); }
spin_unlock_irqrestore(&cs->lock, flags);
}
/* disconnect_bc
* process closing of connection associated with given AT state structure
* and B channel
*/
static void disconnect_bc(struct at_state_t *at_state,
struct cardstate *cs, struct bc_state *bcs)
{
unsigned long flags;
spin_lock_irqsave(&cs->lock, flags);
++at_state->seq_index;
/* revert to selected idle mode */
if (!cs->cidmode) {
cs->at_state.pending_commands |= PC_UMMODE;
gig_dbg(DEBUG_EVENT, "Scheduling PC_UMMODE");
cs->commands_pending = 1;
}
spin_unlock_irqrestore(&cs->lock, flags);
/* invoke hardware specific handler */
cs->ops->close_bchannel(bcs);
/* notify LL */
if (bcs->chstate & (CHS_D_UP | CHS_NOTIFY_LL)) {
bcs->chstate &= ~(CHS_D_UP | CHS_NOTIFY_LL);
gigaset_isdn_hupD(bcs);
} }
} }
...@@ -646,7 +667,7 @@ static void disconnect(struct at_state_t **at_state_p) ...@@ -646,7 +667,7 @@ static void disconnect(struct at_state_t **at_state_p)
* get a free AT state structure: either one of those associated with the * get a free AT state structure: either one of those associated with the
* B channels of the Gigaset device, or if none of those is available, * B channels of the Gigaset device, or if none of those is available,
* a newly allocated one with bcs=NULL * a newly allocated one with bcs=NULL
* The structure should be freed by calling disconnect() after use. * The structure should be freed by calling disconnect_nobc() after use.
*/ */
static inline struct at_state_t *get_free_channel(struct cardstate *cs, static inline struct at_state_t *get_free_channel(struct cardstate *cs,
int cid) int cid)
...@@ -1057,7 +1078,7 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1057,7 +1078,7 @@ static void do_action(int action, struct cardstate *cs,
struct event_t *ev) struct event_t *ev)
{ {
struct at_state_t *at_state = *p_at_state; struct at_state_t *at_state = *p_at_state;
struct at_state_t *at_state2; struct bc_state *bcs2;
unsigned long flags; unsigned long flags;
int channel; int channel;
...@@ -1156,8 +1177,8 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1156,8 +1177,8 @@ static void do_action(int action, struct cardstate *cs,
break; break;
case ACT_RING: case ACT_RING:
/* get fresh AT state structure for new CID */ /* get fresh AT state structure for new CID */
at_state2 = get_free_channel(cs, ev->parameter); at_state = get_free_channel(cs, ev->parameter);
if (!at_state2) { if (!at_state) {
dev_warn(cs->dev, dev_warn(cs->dev,
"RING ignored: could not allocate channel structure\n"); "RING ignored: could not allocate channel structure\n");
break; break;
...@@ -1166,16 +1187,16 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1166,16 +1187,16 @@ static void do_action(int action, struct cardstate *cs,
/* initialize AT state structure /* initialize AT state structure
* note that bcs may be NULL if no B channel is free * note that bcs may be NULL if no B channel is free
*/ */
at_state2->ConState = 700; at_state->ConState = 700;
for (i = 0; i < STR_NUM; ++i) { for (i = 0; i < STR_NUM; ++i) {
kfree(at_state2->str_var[i]); kfree(at_state->str_var[i]);
at_state2->str_var[i] = NULL; at_state->str_var[i] = NULL;
} }
at_state2->int_var[VAR_ZCTP] = -1; at_state->int_var[VAR_ZCTP] = -1;
spin_lock_irqsave(&cs->lock, flags); spin_lock_irqsave(&cs->lock, flags);
at_state2->timer_expires = RING_TIMEOUT; at_state->timer_expires = RING_TIMEOUT;
at_state2->timer_active = 1; at_state->timer_active = 1;
spin_unlock_irqrestore(&cs->lock, flags); spin_unlock_irqrestore(&cs->lock, flags);
break; break;
case ACT_ICALL: case ACT_ICALL:
...@@ -1213,14 +1234,17 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1213,14 +1234,17 @@ static void do_action(int action, struct cardstate *cs,
case ACT_DISCONNECT: case ACT_DISCONNECT:
cs->cur_at_seq = SEQ_NONE; cs->cur_at_seq = SEQ_NONE;
at_state->cid = -1; at_state->cid = -1;
if (bcs && cs->onechannel && cs->dle) { if (!bcs) {
disconnect_nobc(p_at_state, cs);
} else if (cs->onechannel && cs->dle) {
/* Check for other open channels not needed: /* Check for other open channels not needed:
* DLE only used for M10x with one B channel. * DLE only used for M10x with one B channel.
*/ */
at_state->pending_commands |= PC_DLE0; at_state->pending_commands |= PC_DLE0;
cs->commands_pending = 1; cs->commands_pending = 1;
} else } else {
disconnect(p_at_state); disconnect_bc(at_state, cs, bcs);
}
break; break;
case ACT_FAKEDLE0: case ACT_FAKEDLE0:
at_state->int_var[VAR_ZDLE] = 0; at_state->int_var[VAR_ZDLE] = 0;
...@@ -1228,25 +1252,27 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1228,25 +1252,27 @@ static void do_action(int action, struct cardstate *cs,
/* fall through */ /* fall through */
case ACT_DLE0: case ACT_DLE0:
cs->cur_at_seq = SEQ_NONE; cs->cur_at_seq = SEQ_NONE;
at_state2 = &cs->bcs[cs->curchannel].at_state; bcs2 = cs->bcs + cs->curchannel;
disconnect(&at_state2); disconnect_bc(&bcs2->at_state, cs, bcs2);
break; break;
case ACT_ABORTHUP: case ACT_ABORTHUP:
cs->cur_at_seq = SEQ_NONE; cs->cur_at_seq = SEQ_NONE;
dev_warn(cs->dev, "Could not hang up.\n"); dev_warn(cs->dev, "Could not hang up.\n");
at_state->cid = -1; at_state->cid = -1;
if (bcs && cs->onechannel) if (!bcs)
disconnect_nobc(p_at_state, cs);
else if (cs->onechannel)
at_state->pending_commands |= PC_DLE0; at_state->pending_commands |= PC_DLE0;
else else
disconnect(p_at_state); disconnect_bc(at_state, cs, bcs);
schedule_init(cs, MS_RECOVER); schedule_init(cs, MS_RECOVER);
break; break;
case ACT_FAILDLE0: case ACT_FAILDLE0:
cs->cur_at_seq = SEQ_NONE; cs->cur_at_seq = SEQ_NONE;
dev_warn(cs->dev, "Error leaving DLE mode.\n"); dev_warn(cs->dev, "Error leaving DLE mode.\n");
cs->dle = 0; cs->dle = 0;
at_state2 = &cs->bcs[cs->curchannel].at_state; bcs2 = cs->bcs + cs->curchannel;
disconnect(&at_state2); disconnect_bc(&bcs2->at_state, cs, bcs2);
schedule_init(cs, MS_RECOVER); schedule_init(cs, MS_RECOVER);
break; break;
case ACT_FAILDLE1: case ACT_FAILDLE1:
...@@ -1275,14 +1301,14 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1275,14 +1301,14 @@ static void do_action(int action, struct cardstate *cs,
if (reinit_and_retry(cs, channel) < 0) { if (reinit_and_retry(cs, channel) < 0) {
dev_warn(cs->dev, dev_warn(cs->dev,
"Could not get a call ID. Cannot dial.\n"); "Could not get a call ID. Cannot dial.\n");
at_state2 = &cs->bcs[channel].at_state; bcs2 = cs->bcs + channel;
disconnect(&at_state2); disconnect_bc(&bcs2->at_state, cs, bcs2);
} }
break; break;
case ACT_ABORTCID: case ACT_ABORTCID:
cs->cur_at_seq = SEQ_NONE; cs->cur_at_seq = SEQ_NONE;
at_state2 = &cs->bcs[cs->curchannel].at_state; bcs2 = cs->bcs + cs->curchannel;
disconnect(&at_state2); disconnect_bc(&bcs2->at_state, cs, bcs2);
break; break;
case ACT_DIALING: case ACT_DIALING:
...@@ -1291,7 +1317,10 @@ static void do_action(int action, struct cardstate *cs, ...@@ -1291,7 +1317,10 @@ static void do_action(int action, struct cardstate *cs,
break; break;
case ACT_ABORTACCEPT: /* hangup/error/timeout during ICALL procssng */ case ACT_ABORTACCEPT: /* hangup/error/timeout during ICALL procssng */
disconnect(p_at_state); if (bcs)
disconnect_bc(at_state, cs, bcs);
else
disconnect_nobc(p_at_state, cs);
break; break;
case ACT_ABORTDIAL: /* error/timeout during dial preparation */ case ACT_ABORTDIAL: /* error/timeout during dial preparation */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册