x25: Do not reference freed memory.
authorDavid S. Miller <davem@davemloft.net>
Thu, 10 Feb 2011 05:48:36 +0000 (21:48 -0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 10 Feb 2011 06:36:13 +0000 (22:36 -0800)
In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'.  Don't do this, because 'nb' might be freed
by then.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/x25/x25_link.c

index 4cbc942f762a9308ed37016b9aaf5fd3db06ce56..21306928d47f2a185dee95f34ed76412979d9aad 100644 (file)
@@ -396,9 +396,12 @@ void __exit x25_link_free(void)
        write_lock_bh(&x25_neigh_list_lock);
 
        list_for_each_safe(entry, tmp, &x25_neigh_list) {
+               struct net_device *dev;
+
                nb = list_entry(entry, struct x25_neigh, node);
+               dev = nb->dev;
                __x25_remove_neigh(nb);
-               dev_put(nb->dev);
+               dev_put(dev);
        }
        write_unlock_bh(&x25_neigh_list_lock);
 }