tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Staging: unisys: use after free in list_for_each()

These should be using the _safe version of list_for_each() because we
free the current element and it leads to a use after free bug.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Dan Carpenter and committed by
Greg Kroah-Hartman e6b1ea77 d21bb450

+6 -6
+2 -2
drivers/staging/unisys/visorchipset/visorchipset.h
··· 104 104 105 105 static inline void delbusdevices(struct list_head *list, U32 busNo) 106 106 { 107 - VISORCHIPSET_DEVICE_INFO *p; 107 + VISORCHIPSET_DEVICE_INFO *p, *tmp; 108 108 109 - list_for_each_entry(p, list, entry) { 109 + list_for_each_entry_safe(p, tmp, list, entry) { 110 110 if (p->busNo == busNo) { 111 111 list_del(&p->entry); 112 112 kfree(p);
+4 -4
drivers/staging/unisys/visorchipset/visorchipset_main.c
··· 605 605 static void 606 606 cleanup_controlvm_structures(void) 607 607 { 608 - VISORCHIPSET_BUS_INFO *bi; 609 - VISORCHIPSET_DEVICE_INFO *di; 608 + VISORCHIPSET_BUS_INFO *bi, *tmp_bi; 609 + VISORCHIPSET_DEVICE_INFO *di, *tmp_di; 610 610 611 - list_for_each_entry(bi, &BusInfoList, entry) { 611 + list_for_each_entry_safe(bi, tmp_bi, &BusInfoList, entry) { 612 612 busInfo_clear(bi); 613 613 list_del(&bi->entry); 614 614 kfree(bi); 615 615 } 616 616 617 - list_for_each_entry(di, &DevInfoList, entry) { 617 + list_for_each_entry_safe(di, tmp_di, &DevInfoList, entry) { 618 618 devInfo_clear(di); 619 619 list_del(&di->entry); 620 620 kfree(di);