diff options
author | Johannes Berg <johannes@sipsolutions.net> | 2009-07-13 07:25:58 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-07-21 12:07:40 -0400 |
commit | e603d9d824ff0eda98a65708a7e82112becf2dca (patch) | |
tree | ead78be30bfde8b11f6a5b60c3d2712b0136ebd4 /drivers | |
parent | 5d41635195c06fc3116ef3921fe85a9a3ea5ab20 (diff) |
mac80211_hwsim: fix use after free
Once the "data" pointer is freed, we can't be iterating
to the next item in the list any more so we need to use
list_for_each_entry_safe with a temporary variable.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/wireless/mac80211_hwsim.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 5bed8241f3cc..7916ca3f84c8 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c | |||
@@ -709,7 +709,7 @@ static const struct ieee80211_ops mac80211_hwsim_ops = | |||
709 | static void mac80211_hwsim_free(void) | 709 | static void mac80211_hwsim_free(void) |
710 | { | 710 | { |
711 | struct list_head tmplist, *i, *tmp; | 711 | struct list_head tmplist, *i, *tmp; |
712 | struct mac80211_hwsim_data *data; | 712 | struct mac80211_hwsim_data *data, *tmpdata; |
713 | 713 | ||
714 | INIT_LIST_HEAD(&tmplist); | 714 | INIT_LIST_HEAD(&tmplist); |
715 | 715 | ||
@@ -718,7 +718,7 @@ static void mac80211_hwsim_free(void) | |||
718 | list_move(i, &tmplist); | 718 | list_move(i, &tmplist); |
719 | spin_unlock_bh(&hwsim_radio_lock); | 719 | spin_unlock_bh(&hwsim_radio_lock); |
720 | 720 | ||
721 | list_for_each_entry(data, &tmplist, list) { | 721 | list_for_each_entry_safe(data, tmpdata, &tmplist, list) { |
722 | debugfs_remove(data->debugfs_group); | 722 | debugfs_remove(data->debugfs_group); |
723 | debugfs_remove(data->debugfs_ps); | 723 | debugfs_remove(data->debugfs_ps); |
724 | debugfs_remove(data->debugfs); | 724 | debugfs_remove(data->debugfs); |