RE: [patch v2] rapidio: use after free in unregister function

From: Bounine, Alexandre
Date: Mon Jul 08 2013 - 07:56:16 EST

Next message: Greg Price: "Re: [PATCH v2] perf report/top: Add option to collapse undesiredparts of call graph"
Previous message: Kishon Vijay Abraham I: "Re: [PATCH 4/5] arm: dts: Add USB phy nodes for AM33XX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Friday, July 05, 2013 4:39 PM, Dan Carpenter wrote:

> We're freeing the list iterator so we can't move to the next entry.
> Since there is only one matching mport_id, we can just break after
> finding it.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> v2: cleaner fix than v1
>
> diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c
> index f4f30af..2e8a20c 100644
> --- a/drivers/rapidio/rio.c
> +++ b/drivers/rapidio/rio.c
> @@ -1715,11 +1715,13 @@ int rio_unregister_scan(int mport_id, struct
> rio_scan *scan_ops)
> (mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
> port->nscan = NULL;
>
> - list_for_each_entry(scan, &rio_scans, node)
> + list_for_each_entry(scan, &rio_scans, node) {
> if (scan->mport_id == mport_id) {
> list_del(&scan->node);
> kfree(scan);
> + break;
> }
> + }
>
> mutex_unlock(&rio_mport_list_lock);
>

Acked-by: Alexandre Bounine <alexandre.bounine@xxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Price: "Re: [PATCH v2] perf report/top: Add option to collapse undesiredparts of call graph"
Previous message: Kishon Vijay Abraham I: "Re: [PATCH 4/5] arm: dts: Add USB phy nodes for AM33XX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]