From 41c57a87183a7c458d86f78966d69d4bf18ea0b7 Mon Sep 17 00:00:00 2001 From: David Barksdale Date: Tue, 30 Jan 2007 14:36:25 -0800 Subject: [PATCH] [PATCH] IPMI: fix timeout list handling Fix a dangling pointer bug in ipmi_timeout_handler. A list of timedout messages is not re-initialized before reuse, causing the head of the list to point to freed memory. Signed-off-by: David Barksdale Signed-off-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/char/ipmi/ipmi_msghandler.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 4e4691a53890..53582b53da95 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -3649,8 +3649,6 @@ static void ipmi_timeout_handler(long timeout_period) unsigned long flags; int i; - INIT_LIST_HEAD(&timeouts); - rcu_read_lock(); list_for_each_entry_rcu(intf, &ipmi_interfaces, link) { /* See if any waiting messages need to be processed. */ @@ -3671,6 +3669,7 @@ static void ipmi_timeout_handler(long timeout_period) /* Go through the seq table and find any messages that have timed out, putting them in the timeouts list. */ + INIT_LIST_HEAD(&timeouts); spin_lock_irqsave(&intf->seq_lock, flags); for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) check_msg_timeout(intf, &(intf->seq_table[i]), -- 2.20.1