Re: aic7(censored) use after free in 2.5.66

Andrew Morton (akpm@digeo.com)
Mon, 31 Mar 2003 23:52:05 -0800


Zwane Mwaikambo <zwane@linuxpower.ca> wrote:
>
> On Mon, 31 Mar 2003, Andrew Morton wrote:
>
> > The corruption was at offset 52 decimal into struct ahc_linux_device.
> > Without knowing your config it is hard for me to work out what you have at
> > that offset. Rebuild your kernel with -g and do:
> >
> > (gdb) p/d &(((struct ahc_linux_device *)0)->maxtags)
> >
> > until you find which member is at offset 52.
> >
> > Something incremented that field by one after it was freed.
>
> (gdb) p/d &(((struct ahc_linux_device *)0)->timer.lock)
> $4 = 52
>
> That would be a lock free it appears.

OK, so that's a spin_unlock(&timer->lock) in the timer code itself. Your
patch will fix that up.

We just need to be sure that the del_timer_sync() is not called while holding
any locks which would prevent the timer handler from completing.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/