The patch titled
ISDN: fix double free bug in isdn_net
has been removed from the -mm tree. Its filename is
isdn-fix-double-free-bug-in-isdn_net.patch
This patch was dropped because it is not clear that it is correct
------------------------------------------------------
Subject: ISDN: fix double free bug in isdn_net
From: Jesper Juhl <jesper.juhl@xxxxxxxxx>
There's double-free bug in
drivers/isdn/i4l/isdn_net.c::isdn_net_writebuf_skb().
If isdn_writebuf_skb_stub() doesn't handle the entire skb, then it will
have freed the skb that was passed to it and when the code then jumps to
the error label it'll result in a double free of the skb.
The easy way to fix this is to insert an assignment of skb = NULL in the
'if' following the call to isdn_writebuf_skb_stub() so that when the code
at the error label calls dev_kfree_skb(skb); the skb will be NULL and
nothing will happen since dev_kfree_skb() just does a return if passed a
NULL.
Signed-off-by: Jesper Juhl <jesper.juhl@xxxxxxxxx>
Cc: Karsten Keil <kkeil@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/isdn/i4l/isdn_net.c | 1 +
1 files changed, 1 insertion(+)
diff -puN drivers/isdn/i4l/isdn_net.c~isdn-fix-double-free-bug-in-isdn_net drivers/isdn/i4l/isdn_net.c
--- a/drivers/isdn/i4l/isdn_net.c~isdn-fix-double-free-bug-in-isdn_net
+++ a/drivers/isdn/i4l/isdn_net.c
@@ -1023,6 +1023,7 @@ void isdn_net_writebuf_skb(isdn_net_loca
if (ret != len) {
/* we should never get here */
printk(KERN_WARNING "%s: HL driver queue full\n", lp->name);
+ skb = NULL;
goto error;
}
_
Patches currently in -mm which might be from jesper.juhl@xxxxxxxxx are
small-update-to-credits.patch
isdn-fix-double-free-bug-in-isdn_net.patch
debug-shared-irqs.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
