From: Patrick McHardy Date: Tue, 5 Jun 2007 23:06:59 +0000 (-0700) Subject: [NET_SCHED]: Fix filter double free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b00b4bf94edb42852d55619af453588b2de2dc5e;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [NET_SCHED]: Fix filter double free cbq and atm destroy their filters twice when destroying inner classes during qdisc destruction. Reported-and-tested-by: Strobl Anton Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c index be7d299acd73..d1c383fca82c 100644 --- a/net/sched/sch_atm.c +++ b/net/sched/sch_atm.c @@ -599,6 +599,7 @@ static void atm_tc_destroy(struct Qdisc *sch) /* races ? */ while ((flow = p->flows)) { tcf_destroy_chain(flow->filter_list); + flow->filter_list = NULL; if (flow->ref > 1) printk(KERN_ERR "atm_destroy: %p->ref = %d\n",flow, flow->ref); diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c index a294542cb8e4..ee2d5967d109 100644 --- a/net/sched/sch_cbq.c +++ b/net/sched/sch_cbq.c @@ -1748,10 +1748,12 @@ cbq_destroy(struct Qdisc* sch) * classes from root to leafs which means that filters can still * be bound to classes which have been destroyed already. --TGR '04 */ - for (h = 0; h < 16; h++) - for (cl = q->classes[h]; cl; cl = cl->next) + for (h = 0; h < 16; h++) { + for (cl = q->classes[h]; cl; cl = cl->next) { tcf_destroy_chain(cl->filter_list); - + cl->filter_list = NULL; + } + } for (h = 0; h < 16; h++) { struct cbq_class *next;