* [PATCH] IPMI: fix timeout list handling
@ 2007-01-30 19:37 Corey Minyard
0 siblings, 0 replies; only message in thread
From: Corey Minyard @ 2007-01-30 19:37 UTC (permalink / raw)
To: Andrew Morton, Linux Kernel; +Cc: David Barksdale
From: David Barksdale <amatus@ocgnet.org>
This patch against the 2.6.20-rc6 kernel fixes a dangling pointer bug in
ipmi_timeout_handler. A list of timedout messages is not re-initialized
before reuse, causing the head of the list to point to freed memory.
Signed-off-by: David Barksdale <amatus@ocgnet.org>
Signed-off-by: Corey Minyard <minyard@acm.org>
---
diff -ruNp linux-2.6.git.orig/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.git/drivers/char/ipmi/ipmi_msghandler.c
--- linux-2.6.git.orig/drivers/char/ipmi/ipmi_msghandler.c 2007-01-30 10:32:14.000000000 -0600
+++ linux-2.6.git/drivers/char/ipmi/ipmi_msghandler.c 2007-01-30 10:33:50.000000000 -0600
@@ -3649,8 +3649,6 @@ static void ipmi_timeout_handler(long ti
unsigned long flags;
int i;
- INIT_LIST_HEAD(&timeouts);
-
rcu_read_lock();
list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
/* See if any waiting messages need to be processed. */
@@ -3671,6 +3669,7 @@ static void ipmi_timeout_handler(long ti
/* Go through the seq table and find any messages that
have timed out, putting them in the timeouts
list. */
+ INIT_LIST_HEAD(&timeouts);
spin_lock_irqsave(&intf->seq_lock, flags);
for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++)
check_msg_timeout(intf, &(intf->seq_table[i]),
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2007-01-30 19:37 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-01-30 19:37 [PATCH] IPMI: fix timeout list handling Corey Minyard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.