diff options
author | James Smart <jsmart2021@gmail.com> | 2017-08-14 11:20:32 -0700 |
---|---|---|
committer | Christoph Hellwig <hch@lst.de> | 2017-08-16 10:06:18 +0200 |
commit | 16a5a480f067f945fd27bf91ffdce3f959b0d4b6 (patch) | |
tree | d04bb93e2ec23fa0fa679794e954943920396b5d /drivers/nvme/target | |
parent | 42819eb7a0957cc340ad4ed8bba736bab5ebc464 (diff) | |
download | op-kernel-dev-16a5a480f067f945fd27bf91ffdce3f959b0d4b6.zip op-kernel-dev-16a5a480f067f945fd27bf91ffdce3f959b0d4b6.tar.gz |
nvmet-fc: correct use after free on list teardown
Use list_for_each_entry_safe to prevent list handling from referencing
next pointers directly after list_del's
Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Diffstat (limited to 'drivers/nvme/target')
-rw-r--r-- | drivers/nvme/target/fc.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/nvme/target/fc.c b/drivers/nvme/target/fc.c index 1b7f252..b200f9a 100644 --- a/drivers/nvme/target/fc.c +++ b/drivers/nvme/target/fc.c @@ -704,7 +704,7 @@ nvmet_fc_delete_target_queue(struct nvmet_fc_tgt_queue *queue) { struct nvmet_fc_tgtport *tgtport = queue->assoc->tgtport; struct nvmet_fc_fcp_iod *fod = queue->fod; - struct nvmet_fc_defer_fcp_req *deferfcp; + struct nvmet_fc_defer_fcp_req *deferfcp, *tempptr; unsigned long flags; int i, writedataactive; bool disconnect; @@ -735,7 +735,8 @@ nvmet_fc_delete_target_queue(struct nvmet_fc_tgt_queue *queue) } /* Cleanup defer'ed IOs in queue */ - list_for_each_entry(deferfcp, &queue->avail_defer_list, req_list) { + list_for_each_entry_safe(deferfcp, tempptr, &queue->avail_defer_list, + req_list) { list_del(&deferfcp->req_list); kfree(deferfcp); } |