From: David S. Miller <davem@davemloft.net>
Date: Thu, 10 Feb 2011 05:48:36 +0000 (-0800)
Subject: x25: Do not reference freed memory.
X-Git-Tag: firefly_0821_release~10186^2~385
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=7599b39d52b21cd13dcc53e395b459f826fb4728;p=firefly-linux-kernel-4.4.55.git

x25: Do not reference freed memory.

commit 96642d42f076101ba98866363d908cab706d156c upstream.

In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'.  Don't do this, because 'nb' might be freed
by then.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 8954783597c5..3f1816a62844 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -391,9 +391,12 @@ void __exit x25_link_free(void)
 	write_lock_bh(&x25_neigh_list_lock);
 
 	list_for_each_safe(entry, tmp, &x25_neigh_list) {
+		struct net_device *dev;
+
 		nb = list_entry(entry, struct x25_neigh, node);
+		dev = nb->dev;
 		__x25_remove_neigh(nb);
-		dev_put(nb->dev);
+		dev_put(dev);
 	}
 	write_unlock_bh(&x25_neigh_list_lock);
 }