Roland Dreier wrote:
I just queued all of this for 2.6.22.
Is there any chance of getting a fix for the use-after-free that can
be caused by allocating something from userspace, failing to mmap the
buffer and then exiting? To see what happens, look at how
ipath_create_cq sticks a struct ipath_mmap_info into the pending mmap
"list" (and yes it would be much cleaner to just use struct list_head
here rather than reimplementing a linked list yourself), and then look
at how ipath_destroy_cq() frees the same structure without checking if
it has been removed from the pending mmap list.
BTW: any idea how this ever got triggered? The only way I can see is if
you're either not using libipathverbs and libibverbs and you just create
the CQ some other way, which seems unlikely. Do you know how Jason
triggered this bug?
I'm also going to fix a problem where hitting the maximum number of CQs
causes an error return, but doesn't clean up the pending list and thus
leaks memory.
Regards,
Robert.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
