From: Dan Carpenter Date: Wed, 29 Oct 2014 16:10:57 +0000 (+0300) Subject: Bluetooth: 6lowpan: use after free in disconnect_devices() X-Git-Tag: firefly_0821_release~176^2~2717^2~28^2~129^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=daac197ca9966eca3a6b07600e579756a9a1d447;p=firefly-linux-kernel-4.4.55.git Bluetooth: 6lowpan: use after free in disconnect_devices() This was accidentally changed from list_for_each_entry_safe() to list_for_each_entry() so now it has a use after free bug. I've changed it back. Fixes: 90305829635d ('Bluetooth: 6lowpan: Converting rwlocks to use RCU') Signed-off-by: Dan Carpenter Acked-by: Jukka Rissanen Signed-off-by: Marcel Holtmann --- diff --git a/net/bluetooth/6lowpan.c b/net/bluetooth/6lowpan.c index 7254bddaca2f..eef298d17452 100644 --- a/net/bluetooth/6lowpan.c +++ b/net/bluetooth/6lowpan.c @@ -1383,7 +1383,7 @@ static const struct file_operations lowpan_control_fops = { static void disconnect_devices(void) { - struct lowpan_dev *entry, *new_dev; + struct lowpan_dev *entry, *tmp, *new_dev; struct list_head devices; INIT_LIST_HEAD(&devices); @@ -1408,7 +1408,7 @@ static void disconnect_devices(void) rcu_read_unlock(); - list_for_each_entry(entry, &devices, list) { + list_for_each_entry_safe(entry, tmp, &devices, list) { ifdown(entry->netdev); BT_DBG("Unregistering netdev %s %p", entry->netdev->name, entry->netdev);