On Tue, Jan 23, 2007 at 10:04:33PM -0800, Andrew Morton wrote:
> On Wed, 17 Jan 2007 10:55:54 +0100
> Sébastien Dugué <[EMAIL PROTECTED]> wrote:
>
> > +void lio_check(struct lio_event *lio)
> > +{
> > + int ret;
> > +
> > + ret = atomic_dec_and_test(&lio->lio_users);
> > +
> > + if (unlikely(ret) && lio->lio_notify.notify != SIGEV_NONE) {
> > + /* last one -> notify process */
> > + if (aio_send_signal(&lio->lio_notify))
> > + sigqueue_free(lio->lio_notify.sigq);
> > + kfree(lio);
> > + }
> > +}
>
> That's a scary function. It may (or may not) free the memory at lio,
> returning no indication to the caller whether or not that memory is still
> allocated. This is most peculiar - are you really sure there's no
> potential for a use-after-free here?
Yes, this function looks peculiar. Actually lio gets freed here only
for LIO_NOWAIT case. For LIO_WAIT case, it gets freed at the end
of sys_lio_submit() after it is done waiting for all io's.
But yes, all this is not very obvious.
>
> The function is poorly named: I'd expect something called "foo_check" to
> not have any side-effects. This one has gross side-effects. Want to think
> up a better name, please?
>
> And given that this function has global scope, perhaps a little explanatory
> comment is in order?
>
> > +struct lio_event *lio_create(struct sigevent __user *user_event,
> > + int mode)
>
> Here too.
Ok, will try to take care of all these in the next iteration.
Thanks for your review.
Regards,
Bharata.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
