From: David Barksdale <[EMAIL PROTECTED]>
This patch against the 2.6.20-rc6 kernel fixes a dangling pointer bug in
ipmi_timeout_handler. A list of timedout messages is not re-initialized
before reuse, causing the head of the list to point to freed memory.
Signed-off-by: David Barksdale <[EMAIL PROTECTED]>
Signed-off-by: Corey Minyard <[EMAIL PROTECTED]>
---
diff -ruNp linux-2.6.git.orig/drivers/char/ipmi/ipmi_msghandler.c
linux-2.6.git/drivers/char/ipmi/ipmi_msghandler.c
--- linux-2.6.git.orig/drivers/char/ipmi/ipmi_msghandler.c 2007-01-30
10:32:14.000000000 -0600
+++ linux-2.6.git/drivers/char/ipmi/ipmi_msghandler.c 2007-01-30
10:33:50.000000000 -0600
@@ -3649,8 +3649,6 @@ static void ipmi_timeout_handler(long ti
unsigned long flags;
int i;
- INIT_LIST_HEAD(&timeouts);
-
rcu_read_lock();
list_for_each_entry_rcu(intf, &ipmi_interfaces, link) {
/* See if any waiting messages need to be processed. */
@@ -3671,6 +3669,7 @@ static void ipmi_timeout_handler(long ti
/* Go through the seq table and find any messages that
have timed out, putting them in the timeouts
list. */
+ INIT_LIST_HEAD(&timeouts);
spin_lock_irqsave(&intf->seq_lock, flags);
for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++)
check_msg_timeout(intf, &(intf->seq_table[i]),
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
