* [patch 2/2] dcb: use after free in dcb_flushapp()
@ 2011-01-05 7:03 Dan Carpenter
2011-01-06 19:17 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2011-01-05 7:03 UTC (permalink / raw)
To: netdev; +Cc: John Fastabend, Shmulik Ravid, kernel-janitors, David S. Miller
The original code has a use after free bug because it's not using the
_safe() version of the list_for_each_entry() macro.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 8881cb5..11bf6a2 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1650,9 +1650,10 @@ EXPORT_SYMBOL(dcb_setapp);
static void dcb_flushapp(void)
{
struct dcb_app_type *app;
+ struct dcb_app_type *tmp;
spin_lock(&dcb_lock);
- list_for_each_entry(app, &dcb_app_list, list) {
+ list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
list_del(&app->list);
kfree(app);
}
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-01-06 19:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-05 7:03 [patch 2/2] dcb: use after free in dcb_flushapp() Dan Carpenter
2011-01-06 19:17 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).