On 8/7/06, Zephaniah E. Hull <[email protected]> wrote:
On Mon, Aug 07, 2006 at 01:35:50PM -0400, Dmitry Torokhov wrote:
> Hi,
>
> On 8/7/06, Zephaniah E. Hull <[email protected]> wrote:
> > if (evdev->open) {
> > input_close_device(handle);
> > wake_up_interruptible(&evdev->wait);
> >- list_for_each_entry(list, &evdev->list, node)
> >+ list_for_each_entry_safe(list, next, &evdev->list, node)
> > kill_fasync(&list->fasync, SIGIO, POLL_HUP);
>
> NAK. kill_fasync does not affect the list state so using _safe does
> not buy us anything.
Sorry, but you're wrong.
Immediately before the kill_fasync call list->node.next is a valid
pointer, immediately afterwords it is 0x100100, which happens to be
list_poison. kill_fasync is triggering a close somehow, evdev_close
deletes that element of the list, which poisons the next value, which
can make us crash and burn.
I have a 100% reproducible crash case, which is fixed by the change.
If kill_fasync shouldn't be making it close that's another issue, but at
the moment it is and this is a fairly non-invasive change which fixes
it.
Unfortunately it does not really fix the problem, it just papers over
the issue. The crash will still happen if for some reason
evdev_release runs at a bad moment.
> BTW, [email protected] address is dead, please use
> [email protected] or [email protected] or [email protected].
Noted, recommend updating the entry in MAINTAINERS. :)
Already done ;)
--
Dmitry
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
