From patchwork Thu Jun 26 01:41:30 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jon Maloy X-Patchwork-Id: 364217 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 290391400B5 for ; Thu, 26 Jun 2014 11:48:48 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757210AbaFZBsq (ORCPT ); Wed, 25 Jun 2014 21:48:46 -0400 Received: from smtp105.biz.mail.ne1.yahoo.com ([98.138.207.12]:24114 "HELO smtp105.biz.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1755308AbaFZBso (ORCPT ); Wed, 25 Jun 2014 21:48:44 -0400 Received: (qmail 67584 invoked from network); 26 Jun 2014 01:42:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1403746924; bh=YVYGsFKcXlGSCwZtiGtyy+QlceEkNdEDfc9vAdyBFWI=; h=X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References; b=aDcez8g77uGWRmmLiIP/POh1ZhiKYBXOJeeKc9iIMD1C2wGSPXEV6JJXsYQnCg+xrKYY5JcYatEmH56rTYnCY3N2Q4lScf9AlXTgQJkR1+n8A+Ajr7tg/0C/AByw6Ij499wmcjqsVOUxz6emSL5OEqGGU9Rv41zTWcj13tSE9cM= X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: YtsGJO8VM1mx8T7VpB4nMo.iawlj_s3AnTdX_ZvKTOCS._Q wgbemIOHacaBTkzBcLMguAIbrnnJ7XNhfJXpxlPfykmJ1NsclTGsdSMt.Rz_ 6Ngp7JR.doqfLPfRbkjEexx7XbaenldrC_wWtRL58rNvIpfkWnNyrkciYi9x i6xYeo10fmTy1XeWzgfGvfjTg8J3j4NX83na._jlgL_IRQbDMevAIJ3GSSF8 VzVIrCoXU5412Huhrxbe88LkdeCcFVDBDCTLxhrlzcZ558_m2Fxh3c1JHRFE sYDydwutr.LKBc9P8f9IfSyQaSX4hmJhurODGHXbovBV_u7wHTI5sQrtmRnm JFXKmwLwWkynAL4ikQi0k2CtxHLW5u7Ii9nA9YG3.UVjti_S2MRx8CVy_wQ6 Clkpxud.IpCpHfUEKoQ.Owp1lc6U47VA7C6.0v039T0ExSemiJPYP2BM22of lGjPHdJ9uWs4LpXzxlCdrJQWUwka3CaKniJBaRRF_CfBzWds4OVe605gg9Qu tBlFyZ5fUuRxwL6Zpn71vTCbAok8z8VuN X-Yahoo-SMTP: gPXIZm2swBAFQJ_Vx0CebjUfUdhJ X-Rocket-Received: from goethe.lan (jon.maloy@181.112.232.29 with plain [98.138.105.25]) by smtp105.biz.mail.ne1.yahoo.com with SMTP; 25 Jun 2014 18:42:04 -0700 PDT From: Jon Maloy To: davem@davemloft.net Cc: netdev@vger.kernel.org, Paul Gortmaker , erik.hugne@ericsson.com, ying.xue@windriver.com, maloy@donjonn.com, tipc-discussion@lists.sourceforge.net, Jon Maloy Subject: [PATCH net-next 01/13] tipc: eliminate case of writing to freed memory Date: Wed, 25 Jun 2014 20:41:30 -0500 Message-Id: <1403746902-20408-2-git-send-email-jon.maloy@ericsson.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1403746902-20408-1-git-send-email-jon.maloy@ericsson.com> References: <1403746902-20408-1-git-send-email-jon.maloy@ericsson.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In the function tipc_nodesub_notify() we call a function pointer aggregated into the object to be notified, whereafter we set the function pointer to NULL. However, in some cases the function pointed to will free the struct containing the function pointer, resulting in a write to already freed memory. This bug seems to always have been there, without causing any notable harm. In this commit we fix the problem by inverting the order of the zeroing and the function call. Signed-off-by: Jon Maloy --- net/tipc/node_subscr.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/tipc/node_subscr.c b/net/tipc/node_subscr.c index 7c59ab1..2d13eea 100644 --- a/net/tipc/node_subscr.c +++ b/net/tipc/node_subscr.c @@ -84,11 +84,13 @@ void tipc_nodesub_unsubscribe(struct tipc_node_subscr *node_sub) void tipc_nodesub_notify(struct list_head *nsub_list) { struct tipc_node_subscr *ns, *safe; + net_ev_handler handle_node_down; list_for_each_entry_safe(ns, safe, nsub_list, nodesub_list) { - if (ns->handle_node_down) { - ns->handle_node_down(ns->usr_handle); + handle_node_down = ns->handle_node_down; + if (handle_node_down) { ns->handle_node_down = NULL; + handle_node_down(ns->usr_handle); } } }