Re: [patch] Bluetooth: 6lowpan: use after free in disconnect_devices()
From: Jukka Rissanen <hidden>
Date: 2014-10-30 07:54:41
Also in:
kernel-janitors, linux-bluetooth, lkml
Hi Dan, On ke, 2014-10-29 at 19:10 +0300, Dan Carpenter wrote:
This was accidentally changed from list_for_each_entry_safe() to list_for_each_entry() so now it has a use after free bug. I've changed it back.
Good catch! Thanks for the patch. Acked-by: Jukka Rissanen <redacted>
quoted hunk ↗ jump to hunk
Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU') Signed-off-by: Dan Carpenter <redacted>diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index 7254bdd..eef298d 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c@@ -1383,7 +1383,7 @@ static const struct file_operations lowpan_control_fops = { static void disconnect_devices(void) { - struct lowpan_dev *entry, *new_dev; + struct lowpan_dev *entry, *tmp, *new_dev; struct list_head devices; INIT_LIST_HEAD(&devices);@@ -1408,7 +1408,7 @@ static void disconnect_devices(void) rcu_read_unlock(); - list_for_each_entry(entry, &devices, list) { + list_for_each_entry_safe(entry, tmp, &devices, list) { ifdown(entry->netdev); BT_DBG("Unregistering netdev %s %p", entry->netdev->name, entry->netdev); --To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Cheers, Jukka