Commit f93f3c4e authored Jul 31, 2013 by Dan Carpenter Committed by Linus Torvalds Jul 31, 2013

rapidio: fix use after free in rio_unregister_scan()



We're freeing the list iterator so we can't move to the next entry.
Since there is only one matching mport_id, we can just break after
finding it.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Ryan Mallon <rmallon@gmail.com>
Acked-by: Alexandre Bounine <alexandre.bounine@idt.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 4e505294

drivers/rapidio/rio.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1715,10 +1715,12 @@ int rio_unregister_scan(int mport_id, struct rio_scan *scan_ops)
		(mport_id == RIO_MPORT_ANY && port->nscan == scan_ops))
		port->nscan = NULL;

		list_for_each_entry(scan, &rio_scans, node)
		list_for_each_entry(scan, &rio_scans, node) {
		if (scan->mport_id == mport_id) {
		list_del(&scan->node);
		kfree(scan);
		break;
		}
		}

		mutex_unlock(&rio_mport_list_lock);