diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-08-22 16:41:28 -0400 |
|---|---|---|
| committer | Tyler Hicks <tyhicks@canonical.com> | 2017-11-06 13:22:34 -0500 |
| commit | db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 (patch) | |
| tree | 41c89d821f67a296b66a265a8ffcf04406f0db35 | |
| parent | abbae6d560c1d562c5c0d10785469734784ef961 (diff) | |
eCryptfs: use after free in ecryptfs_release_messaging()
We're freeing the list iterator so we should be using the _safe()
version of hlist_for_each_entry().
Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
| -rw-r--r-- | fs/ecryptfs/messaging.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c index 286f10b0363b..4f457d5c4933 100644 --- a/fs/ecryptfs/messaging.c +++ b/fs/ecryptfs/messaging.c | |||
| @@ -442,15 +442,16 @@ void ecryptfs_release_messaging(void) | |||
| 442 | } | 442 | } |
| 443 | if (ecryptfs_daemon_hash) { | 443 | if (ecryptfs_daemon_hash) { |
| 444 | struct ecryptfs_daemon *daemon; | 444 | struct ecryptfs_daemon *daemon; |
| 445 | struct hlist_node *n; | ||
| 445 | int i; | 446 | int i; |
| 446 | 447 | ||
| 447 | mutex_lock(&ecryptfs_daemon_hash_mux); | 448 | mutex_lock(&ecryptfs_daemon_hash_mux); |
| 448 | for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { | 449 | for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { |
| 449 | int rc; | 450 | int rc; |
| 450 | 451 | ||
| 451 | hlist_for_each_entry(daemon, | 452 | hlist_for_each_entry_safe(daemon, n, |
| 452 | &ecryptfs_daemon_hash[i], | 453 | &ecryptfs_daemon_hash[i], |
| 453 | euid_chain) { | 454 | euid_chain) { |
| 454 | rc = ecryptfs_exorcise_daemon(daemon); | 455 | rc = ecryptfs_exorcise_daemon(daemon); |
| 455 | if (rc) | 456 | if (rc) |
| 456 | printk(KERN_ERR "%s: Error whilst " | 457 | printk(KERN_ERR "%s: Error whilst " |