From patchwork Wed Jan  5 07:03:44 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dan Carpenter <error27@gmail.com>
X-Patchwork-Id: 77573
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 5D04FB711C
	for <patchwork-incoming@ozlabs.org>;
	Wed,  5 Jan 2011 18:04:07 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751486Ab1AEHEB (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 5 Jan 2011 02:04:01 -0500
Received: from mail-yw0-f46.google.com ([209.85.213.46]:49097 "EHLO
	mail-yw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751298Ab1AEHEA (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 5 Jan 2011 02:04:00 -0500
Received: by ywl5 with SMTP id 5so5898940ywl.19
	for <multiple recipients>; Tue, 04 Jan 2011 23:03:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:date:from:to:cc:subject
	:message-id:mime-version:content-type:content-disposition:user-agent;
	bh=gNw4q7DwihtA0dOW1sgoFUsePpcJ9OQHMfqFZ9BFD1o=;
	b=N3rRdp0e3+73/0qSp7nvCXHQFqX16l1VIlrvZ3XZH/3YUwrDAaAGhM5de5wA1L16g0
	6P3tLlQXR2FCUheFXOr9kF98V843ojHWA3IdIuVVYSgxwEQN1TE7J1alRLgYmjXB7FUf
	cmNAGSgWjBm4s+5XLvo1tyULdlA4Q+72gECxQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=date:from:to:cc:subject:message-id:mime-version:content-type
	:content-disposition:user-agent;
	b=XiQZ8+du7UUdx1xWrmpDSeiZG2RbO3svKKhvf5d0MC1bU+7ExQ2poDSIB5Ng0ypUZy
	zp6dd7EKZe2loIaYTYaZ5SxSNmgmIye5igFPeDHj1ROjuqR1z7cp+0XIDqsNbJWoldeF
	KChUrrXDJTtf/L+Zhfr6HO4cO/Cde/O2SU9o0=
Received: by 10.100.236.39 with SMTP id j39mr14009656anh.28.1294211039334;
	Tue, 04 Jan 2011 23:03:59 -0800 (PST)
Received: from bicker (h14ba.n2.ips.mtn.co.ug [212.88.116.186])
	by mx.google.com with ESMTPS id 2sm30528688anw.18.2011.01.04.23.03.54
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Tue, 04 Jan 2011 23:03:58 -0800 (PST)
Date: Wed, 5 Jan 2011 10:03:44 +0300
From: Dan Carpenter <error27@gmail.com>
To: netdev@vger.kernel.org
Cc: John Fastabend <john.r.fastabend@intel.com>,
	Shmulik Ravid <shmulikr@broadcom.com>, kernel-janitors@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>
Subject: [patch 2/2] dcb: use after free in dcb_flushapp()
Message-ID: <20110105070344.GB24847@bicker>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The original code has a use after free bug because it's not using the
_safe() version of the list_for_each_entry() macro.

Signed-off-by: Dan Carpenter <error27@gmail.com>
---
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index 8881cb5..11bf6a2 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1650,9 +1650,10 @@ EXPORT_SYMBOL(dcb_setapp);
 static void dcb_flushapp(void)
 {
 	struct dcb_app_type *app;
+	struct dcb_app_type *tmp;
 
 	spin_lock(&dcb_lock);
-	list_for_each_entry(app, &dcb_app_list, list) {
+	list_for_each_entry_safe(app, tmp, &dcb_app_list, list) {
 		list_del(&app->list);
 		kfree(app);
 	}