Re: [PATCH 2.6] 2/3 Serio: possible race in handle_events

[Andrew Morton]

Dmitry Torokhov <dtor_core@xxxxxxxxxxxxx> wrote:
>
> On Saturday 23 August 2003 02:00 am, Andrew Morton wrote:
> > Dmitry Torokhov <dtor_core@xxxxxxxxxxxxx> wrote:
> > > +static int is_known_serio(struct serio *serio)
> > >  +{
> > >  +	struct serio *s;
> > >  +
> > >  +	list_for_each_entry(s, &serio_list, node)
> > >  +		if (s == serio)
> > >  +			return 1;
> > >  +	return 0;
> > >  +}
> >
> > Could this just be
> >
> > 	return !list_empty(&serio->node);
> >
> > ?
> 
> The serio could be free()d, I dont think we want to call list_empty with 
> a dangling pointer. Or am I missing something?
> 

Well if we're playing around with a freed pointer then something is
seriously wrong.  Like, someone could have allocated a new one and got the
same address.

If event->serio can point at freed memory and there's any doubt over it
then we should be nulling out event->serio to indicate that.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/