From patchwork Thu May 31 06:21:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 923202 X-Patchwork-Delegate: lorenzo.pieralisi@arm.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=linux-pci-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=oracle.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=oracle.com header.i=@oracle.com header.b="nYQs3zoW"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40xHRz0y4Pz9s01 for ; Thu, 31 May 2018 16:22:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753958AbeEaGWE (ORCPT ); Thu, 31 May 2018 02:22:04 -0400 Received: from userp2120.oracle.com ([156.151.31.85]:52860 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751037AbeEaGWD (ORCPT ); Thu, 31 May 2018 02:22:03 -0400 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w4V6G1ck012138; Thu, 31 May 2018 06:21:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : mime-version : content-type; s=corp-2017-10-26; bh=5mehTwtMLws8weYq1CnEWnOG1rojI/X28ITdRuHKajo=; b=nYQs3zoWDMPBzwAtGZU80smy8DepWQywTGzYfpreiqjffbxX9x+A3ByV8bCigEKOd2U9 XJ9zyY5oZ8+jhOzHKFHWFPl8Xu8wPtR8VHAxOEQyiywTLODwjVgUKMHbT87csNuqUmo3 hlddPGfMkStSzZzGVwv0JZ806h4igjNOyokxvMS0Mubjugp7/NwdroOZu05CW/l+NP2u xCtF/BWE3zfE2drCj9hZFJ1JkJld+xNkaza28E3lSzKOjJ21RIdOVwRszXkfyIpwYKHO ubkSRTWRV77D3HMceq5zdJk+tKbnAxTACsxJSgSJ/1ejoghfj0xOwg1cC/R9TEHhCpmq gA== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2j9ev85dvx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 31 May 2018 06:21:58 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w4V6LvsF031781 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 31 May 2018 06:21:57 GMT Received: from abhmp0014.oracle.com (abhmp0014.oracle.com [141.146.116.20]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w4V6Luu5030267; Thu, 31 May 2018 06:21:56 GMT Received: from kili.mountain (/197.157.0.20) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 30 May 2018 23:21:55 -0700 Date: Thu, 31 May 2018 09:21:48 +0300 From: Dan Carpenter To: Kishon Vijay Abraham I Cc: Lorenzo Pieralisi , Bjorn Helgaas , linux-pci@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH] PCI: endpoint: use after free in pci_epf_unregister_driver() Message-ID: <20180531062148.qnhcnnibz2ql6soa@kili.mountain> MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170113 (1.7.2) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8909 signatures=668702 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=580 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1805310071 Sender: linux-pci-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-pci@vger.kernel.org We need to use list_for_each_entry_safe() because the pci_ep_cfs_remove_epf_group() function frees "group". Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry") Signed-off-by: Dan Carpenter Acked-by: Kishon Vijay Abraham I diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c index 523a8cab3bfb..bf53fad636a5 100644 --- a/drivers/pci/endpoint/pci-epf-core.c +++ b/drivers/pci/endpoint/pci-epf-core.c @@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space); */ void pci_epf_unregister_driver(struct pci_epf_driver *driver) { - struct config_group *group; + struct config_group *group, *tmp; mutex_lock(&pci_epf_mutex); - list_for_each_entry(group, &driver->epf_group, group_entry) + list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry) pci_ep_cfs_remove_epf_group(group); list_del(&driver->epf_group); mutex_unlock(&pci_epf_mutex);