[patch v2] rapidio: use after free in unregister function

From: Dan Carpenter
Date: Fri Jul 05 2013 - 16:39:48 EST

Next message: Dave Jones: "Trying to vfree() bad address (e7eb1d38)"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH] perf stat: fix per-socket output bug for uncore events"
In reply to: Bounine, Alexandre: "RE: [patch] rapidio: use after free in unregister function"
Next in thread: Ryan Mallon: "Re: [patch v2] rapidio: use after free in unregister function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We're freeing the list iterator so we can't move to the next entry.
Since there is only one matching mport_id, we can just break after
finding it.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
v2: cleaner fix than v1

diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
index f4f30af..2e8a20c 100644
--- a/drivers/rapidio/rio.c
+++ b/drivers/rapidio/rio.c
@@ -1715,11 +1715,13 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
(mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
port->nscan = NULL;

- list_for_each_entry(scan, &rio_scans, node)
+ list_for_each_entry(scan, &rio_scans, node) {
if (scan->mport_id == mport_id) {
list_del(&scan->node);
kfree(scan);
+ break;
}
+ }

mutex_unlock(&rio_mport_list_lock);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dave Jones: "Trying to vfree() bad address (e7eb1d38)"
Previous message: Arnaldo Carvalho de Melo: "Re: [PATCH] perf stat: fix per-socket output bug for uncore events"
In reply to: Bounine, Alexandre: "RE: [patch] rapidio: use after free in unregister function"
Next in thread: Ryan Mallon: "Re: [patch v2] rapidio: use after free in unregister function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]