Re: [PATCH 22/30] rapidio: add global inbound port write interfaces

From: Andrew Morton
Date: Mon Feb 08 2016 - 16:18:29 EST

Next message: Amit Pundir: "[RFC][PATCH v2] usb: gadget: u_ether: Add workqueue as bottom half handler for rx data path"
Previous message: Joshua Henderson: "[PATCH v2 2/2] rng: pic32-rng: Add PIC32 RNG hardware driver"
Next in thread: Bounine, Alexandre: "RE: [PATCH 22/30] rapidio: add global inbound port write interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 5 Feb 2016 18:19:38 -0500 Alexandre Bounine <alexandre.bounine@xxxxxxx> wrote:

> +int rio_del_mport_pw_handler(struct rio_mport *mport, void *context,
> + int (*pwcback)(struct rio_mport *mport,
> + void *context, union rio_pw_msg *msg, int step))
> +{
> + int rc = -EINVAL;
> + struct rio_pwrite *pwrite;
> +
> + mutex_lock(&mport->lock);
> + list_for_each_entry(pwrite, &mport->pwrites, node) {

You have a use-after-free here - list_for_each_entry() references the
pwrite_node_next which was freed on the previous loop.

I'll switch this to list_for_each_entry_safe. Please test that change
and review the other patches for reoccurrences.

> + if (pwrite->pwcback == pwcback && pwrite->context == context) {
> + list_del(&pwrite->node);
> + kfree(pwrite);
> + rc = 0;
> + break;
> + }
> + }
> + mutex_unlock(&mport->lock);
> +
> + return rc;
> +}
> +EXPORT_SYMBOL_GPL(rio_del_mport_pw_handler);

Next message: Amit Pundir: "[RFC][PATCH v2] usb: gadget: u_ether: Add workqueue as bottom half handler for rx data path"
Previous message: Joshua Henderson: "[PATCH v2 2/2] rng: pic32-rng: Add PIC32 RNG hardware driver"
Next in thread: Bounine, Alexandre: "RE: [PATCH 22/30] rapidio: add global inbound port write interfaces"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]