projects / GitHub / LineageOS / G12 / android_kernel_amlogic_linux-4.9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 70bfa2d)
dcb: use after free in dcb_flushapp()
authorDan Carpenter <error27@gmail.com>
Tue, 4 Jan 2011 21:03:44 +0000 (21:03 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 6 Jan 2011 19:16:54 +0000 (11:16 -0800)
The original code has a use after free bug because it's not using the
_safe() version of the list_for_each_entry() macro.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/dcb/dcbnl.c patch | blob | blame | history

diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 4323bd441f0fb57b2db29e3cd914515fd1f96c29..d900ab99814a7e54d8d2d9e14cd828314dd4e7ce 100644 (file)
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1643,9 +1643,10 @@ EXPORT_SYMBOL(dcb_setapp);
 static void dcb_flushapp(void)
 {
        struct dcb_app_type *app;
+       struct dcb_app_type *tmp;
 
        spin_lock(&dcb_lock);
-       list_for_each_entry(app, &dcb_app_list, list) {
+       list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
                list_del(&app->list);
                kfree(app);
        }