[stable] [PATCH] [158/275] x25: Do not reference freed memory.

Andi Kleen Wed, 30 Mar 2011 14:36:48 -0700

2.6.35-longterm review patch.  If anyone has any objections, please let me know.


------------------
From: David S. Miller <[email protected]>

commit 96642d42f076101ba98866363d908cab706d156c upstream.

In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'.  Don't do this, because 'nb' might be freed
by then.

Reported-by: Randy Dunlap <[email protected]>
Tested-by: Randy Dunlap <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>

---
 net/x25/x25_link.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Index: linux-2.6.35.y/net/x25/x25_link.c
===================================================================
--- linux-2.6.35.y.orig/net/x25/x25_link.c      2011-03-29 22:51:02.348663073 
-0700
+++ linux-2.6.35.y/net/x25/x25_link.c   2011-03-29 23:03:01.541260733 -0700
@@ -392,9 +392,12 @@
        write_lock_bh(&x25_neigh_list_lock);
 
        list_for_each_safe(entry, tmp, &x25_neigh_list) {
+               struct net_device *dev;
+
                nb = list_entry(entry, struct x25_neigh, node);
+               dev = nb->dev;
                __x25_remove_neigh(nb);
-               dev_put(nb->dev);
+               dev_put(dev);
        }
        write_unlock_bh(&x25_neigh_list_lock);
 }

_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable

[stable] [PATCH] [158/275] x25: Do not reference freed memory.

Reply via email to