Date: Fri, 3 Feb 2006 22:02:54 -0800
From: Greg KH <greg@kroah.com>
To: Max Asbock <masbock@us.ibm.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] ibmasm driver: don't use previously freed pointer
Message-ID: <20060204060254.GA4454@kroah.com>
References: <1139005598.7521.68.camel@w-amax>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1139005598.7521.68.camel@w-amax>
User-Agent: Mutt/1.5.11
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1378
Lines: 41

On Fri, Feb 03, 2006 at 02:26:38PM -0800, Max Asbock wrote:
> ibmasm driver:
> Fix the command_put() function which uses a pointer for a spinlock that
> can be freed before dereferencing it.
> 
> Signed-off-by: Max Asbock masbock@us.ibm.com
> 
> ---
> 
> diff -burpN linux-2.6.16-rc1/drivers/misc/ibmasm/ibmasm.h linux-2.6.16-rc1.ibmasm/drivers/misc/ibmasm/ibmasm.h
> --- linux-2.6.16-rc1/drivers/misc/ibmasm/ibmasm.h	2006-02-01 11:50:01.000000000 -0800
> +++ linux-2.6.16-rc1.ibmasm/drivers/misc/ibmasm/ibmasm.h	2006-02-03 13:57:42.000000000 -0800
> @@ -101,10 +101,11 @@ struct command {
>  static inline void command_put(struct command *cmd)
>  {
>  	unsigned long flags;
> +	spinlock_t *lock = cmd->lock;
>  
> -	spin_lock_irqsave(cmd->lock, flags);
> +	spin_lock_irqsave(lock, flags);
>          kobject_put(&cmd->kobj);
> -	spin_unlock_irqrestore(cmd->lock, flags);
> +	spin_unlock_irqrestore(lock, flags);
>  }

If this patch is true, doesn't the spinlock the pointer is pointing out
still get deleted?

Yes you save a pointer off, but it looks like the problem is still
present.

Or am I missing something?

thanks,

greg k-h
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/