Re: [PATCH] Fix kfree bug in sendmsg and recvmsg

From: Al Viro
Date: Wed Feb 17 2016 - 11:44:16 EST

Next message: Insu Yun: "[PATCH] tipc: unlock in error path"
Previous message: Michal Hocko: "[RFC 11/12 v1] x86, rwsem: provide __down_write_killable"
In reply to: Joe Korty: "[PATCH] Fix kfree bug in sendmsg and recvmsg"
Next in thread: Al Viro: "Re: [PATCH] Fix kfree bug in sendmsg and recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 17, 2016 at 11:38:05AM -0500, Joe Korty wrote:
> Fix kfree bug in recvmsg and sendmsg.
>
> We cannot kfree(iov) when iov points to an array on the
> stack, as that has the potential of corrupting memory.
>
> So re-introduce the if-stmt that used to protect kfree
> from this condition, code that was removed as part of
> a larger set of changes made by git commit da184284.

NAK. You are misreading import_iovec():
*iov = p == *iov ? NULL : p;
in the end will have iov replaced with NULL if we ended up using what
it originally pointed to.

Next message: Insu Yun: "[PATCH] tipc: unlock in error path"
Previous message: Michal Hocko: "[RFC 11/12 v1] x86, rwsem: provide __down_write_killable"
In reply to: Joe Korty: "[PATCH] Fix kfree bug in sendmsg and recvmsg"
Next in thread: Al Viro: "Re: [PATCH] Fix kfree bug in sendmsg and recvmsg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]