Eric Lee / linux-smarc-t335x-v3.2

Download as
Browse Code ยป

Commit 96642d42f076101ba98866363d908cab706d156c

Authored by David S. Miller
1 parent ebc02e9c52
Exists in master and in 4 other branches v3.2_AM335xPSP_04.06.00.11, v3.2_NEWT335xPSP_04.06.00.11, v3.2_SBC_SMARTMEN, v3.2_SMARCT335xPSP_04.06.00.11

x25: Do not reference freed memory. 

In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'.  Don't do this, because 'nb' might be freed
by then.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Showing 1 changed file with 4 additions and 1 deletions Side-by-side Diff

... ... @@ -396,9 +396,12 @@
396 396 write_lock_bh(&x25_neigh_list_lock);
397 397  
398 398 list_for_each_safe(entry, tmp, &x25_neigh_list) {
  399 + struct net_device *dev;
  400 +
399 401 nb = list_entry(entry, struct x25_neigh, node);
  402 + dev = nb->dev;
400 403 __x25_remove_neigh(nb);
401   - dev_put(nb->dev);
  404 + dev_put(dev);
402 405 }
403 406 write_unlock_bh(&x25_neigh_list_lock);
404 407 }