Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752402Ab3FZJCG (ORCPT ); Wed, 26 Jun 2013 05:02:06 -0400 Received: from mail-ea0-f182.google.com ([209.85.215.182]:40638 "EHLO mail-ea0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751571Ab3FZJCC (ORCPT ); Wed, 26 Jun 2013 05:02:02 -0400 Message-ID: <51CAAE06.1050701@suse.cz> Date: Wed, 26 Jun 2013 11:01:58 +0200 From: Jiri Slaby User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20130124 Thunderbird/19.0 MIME-Version: 1.0 To: channing , gregkh@linuxfoundation.org CC: linux-kernel@vger.kernel.org Subject: Re: [PATCH] TTY: memory leakage in tty_buffer_find() References: <1372236670.2390.12.camel@bichao> <51CAAC88.7070106@suse.cz> In-Reply-To: <51CAAC88.7070106@suse.cz> X-Enigmail-Version: 1.6a1pre Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1028 Lines: 27 On 06/26/2013 10:55 AM, Jiri Slaby wrote: > On 06/26/2013 10:51 AM, channing wrote: >> >> In tty_buffer_find(), it scans all tty buffers in >> free buffer queue, if it finds matched one, >> tty->buf.free will point to matched one's next buffer, > > Oh, how is that true? tbh is moved with every iteration, right? Then: > *tbh = t->next; > 't' is what we return, 't->next' is the next one and '*tbh' is where > 'next' of the previous one will point. So we just set it so we remove > 't' from the list, or am I missing something? Actually yes. The code is pretty messy and is hiding that bug pretty nicely. Let me figure out if there is a nice solution which would make the code more understandable. And we should CC: stable with the fix as it is there forever. -- js suse labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/