From: David Barksdale Date: Tue, 30 Jan 2007 22:36:25 +0000 (-0800) Subject: [PATCH] IPMI: fix timeout list handling X-Git-Tag: firefly_0821_release~31373 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=41c57a87183a7c458d86f78966d69d4bf18ea0b7;p=firefly-linux-kernel-4.4.55.git [PATCH] IPMI: fix timeout list handling Fix a dangling pointer bug in ipmi_timeout_handler. A list of timedout messages is not re-initialized before reuse, causing the head of the list to point to freed memory. Signed-off-by: David Barksdale Signed-off-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 4e4691a53890..53582b53da95 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -3649,8 +3649,6 @@ static void ipmi_timeout_handler(long timeout_period) unsigned long flags; int i; - INIT_LIST_HEAD(&timeouts); - rcu_read_lock(); list_for_each_entry_rcu(intf, &ipmi_interfaces, link) { /* See if any waiting messages need to be processed. */ @@ -3671,6 +3669,7 @@ static void ipmi_timeout_handler(long timeout_period) /* Go through the seq table and find any messages that have timed out, putting them in the timeouts list. */ + INIT_LIST_HEAD(&timeouts); spin_lock_irqsave(&intf->seq_lock, flags); for (i = 0; i < IPMI_IPMB_NUM_SEQ; i++) check_msg_timeout(intf, &(intf->seq_table[i]),