On Wed, 17 Jan 2007 10:55:54 +0100
Sébastien Dugué <[EMAIL PROTECTED]> wrote:
> +void lio_check(struct lio_event *lio)
> +{
> + int ret;
> +
> + ret = atomic_dec_and_test(&lio->lio_users);
> +
> + if (unlikely(ret) && lio->lio_notify.notify != SIGEV_NONE) {
> + /* last one -> notify process */
> + if (aio_send_signal(&lio->lio_notify))
> + sigqueue_free(lio->lio_notify.sigq);
> + kfree(lio);
> + }
> +}
That's a scary function. It may (or may not) free the memory at lio,
returning no indication to the caller whether or not that memory is still
allocated. This is most peculiar - are you really sure there's no
potential for a use-after-free here?
The function is poorly named: I'd expect something called "foo_check" to
not have any side-effects. This one has gross side-effects. Want to think
up a better name, please?
And given that this function has global scope, perhaps a little explanatory
comment is in order?
> +struct lio_event *lio_create(struct sigevent __user *user_event,
> + int mode)
Here too.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
