From: Johannes Berg <johannes@sipsolutions.net>
Date: Mon, 13 Jul 2009 11:25:58 +0000 (+0200)
Subject: mac80211_hwsim: fix use after free
X-Git-Tag: v2.6.31-rc6~41^2~51^2~12
X-Git-Url: http://ftp.safe.ca/?a=commitdiff_plain;h=e603d9d824ff0eda98a65708a7e82112becf2dca;p=safe%2Fjmp%2Flinux-2.6

mac80211_hwsim: fix use after free

Once the "data" pointer is freed, we can't be iterating
to the next item in the list any more so we need to use
list_for_each_entry_safe with a temporary variable.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 5bed824..7916ca3 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -709,7 +709,7 @@ static const struct ieee80211_ops mac80211_hwsim_ops =
 static void mac80211_hwsim_free(void)
 {
 	struct list_head tmplist, *i, *tmp;
-	struct mac80211_hwsim_data *data;
+	struct mac80211_hwsim_data *data, *tmpdata;
 
 	INIT_LIST_HEAD(&tmplist);
 
@@ -718,7 +718,7 @@ static void mac80211_hwsim_free(void)
 		list_move(i, &tmplist);
 	spin_unlock_bh(&hwsim_radio_lock);
 
-	list_for_each_entry(data, &tmplist, list) {
+	list_for_each_entry_safe(data, tmpdata, &tmplist, list) {
 		debugfs_remove(data->debugfs_group);
 		debugfs_remove(data->debugfs_ps);
 		debugfs_remove(data->debugfs);