[dahdi-commits] dahdi/linux.git branch "master" updated.

SVN commits to the DAHDI project dahdi-commits at lists.digium.com
Mon Jul 7 12:26:09 CDT 2014 

branch "master" has been updated
       via  a1ff3cb0c0f3f4e65d734f4a71a090f5484505b4 (commit)
      from  089b593b56c73be97b37155798a62db0dd0c7435 (commit)

Summary of changes:
 drivers/dahdi/dahdi-base.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)


- Log -----------------------------------------------------------------
commit a1ff3cb0c0f3f4e65d734f4a71a090f5484505b4
Author: Shaun Ruffell <sruffell at digium.com>
Date:   Sat Jul 5 14:52:46 2014 -0500

    dahdi: Stop tones on channel when updating tone zone.
    
    If a channel is currently playing a tone when the tone zone is updated, the
    existing tone zone could be freed while the channel keeps a reference to the
    current tone (curtone) that points into the freed zone.
    
    If the newly freed tone is then modified, there was a window where it was
    possible to  corrupt 'struct dahdi_chan' (by overrunning swritechunk[])
    resulting in a "BUG: unable to handle kernel paging request at virtual address"
    panic in the context of __dahdi_transmit_chunk().
    
    Reported-and-Tested-by: Matt Behrens <matt at zigg.com>
    Signed-off-by: Shaun Ruffell <sruffell at digium.com>
    Signed-off-by: Russ Meyerriecks <rmeyerriecks at digium.com>

diff --git a/drivers/dahdi/dahdi-base.c b/drivers/dahdi/dahdi-base.c
index 40131a4..d46d7eb 100644
--- a/drivers/dahdi/dahdi-base.c
+++ b/drivers/dahdi/dahdi-base.c
@@ -1811,6 +1811,17 @@ static int start_tone(struct dahdi_chan *chan, int tone)
 	return res;
 }
 
+/**
+ * stop_tone - Stops any tones on a channel.
+ *
+ * Must be called with chan->lock held.
+ *
+ */
+static inline int stop_tone(struct dahdi_chan *chan)
+{
+	return start_tone(chan, -1);
+}
+
 static int set_tone_zone(struct dahdi_chan *chan, int zone)
 {
 	int res = 0;
@@ -1838,6 +1849,9 @@ static int set_tone_zone(struct dahdi_chan *chan, int zone)
 		return -ENODATA;
 
 	spin_lock_irqsave(&chan->lock, flags);
+
+	stop_tone(chan);
+
 	if (chan->curzone) {
 		struct dahdi_zone *zone = chan->curzone;
 		chan->curzone = NULL;

-----------------------------------------------------------------------


-- 
dahdi/linux.git

More information about the dahdi-commits mailing list