summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-06-05 16:06:59 -0700
committerDavid S. Miller <davem@sunset.davemloft.net>2007-06-07 13:41:05 -0700
commitb00b4bf94edb42852d55619af453588b2de2dc5e (patch)
tree01f79f50daf04a1f73a5d93365307711907b3169
parent7c355f532dd43036622e1880c114773463bafd23 (diff)
downloadkernel-crypto-b00b4bf94edb42852d55619af453588b2de2dc5e.tar.gz
kernel-crypto-b00b4bf94edb42852d55619af453588b2de2dc5e.tar.xz
kernel-crypto-b00b4bf94edb42852d55619af453588b2de2dc5e.zip
[NET_SCHED]: Fix filter double free
cbq and atm destroy their filters twice when destroying inner classes during qdisc destruction. Reported-and-tested-by: Strobl Anton <a.strobl@aws-it.at> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sched/sch_atm.c1
-rw-r--r--net/sched/sch_cbq.c8
2 files changed, 6 insertions, 3 deletions
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index be7d299acd7..d1c383fca82 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -599,6 +599,7 @@ static void atm_tc_destroy(struct Qdisc *sch)
/* races ? */
while ((flow = p->flows)) {
tcf_destroy_chain(flow->filter_list);
+ flow->filter_list = NULL;
if (flow->ref > 1)
printk(KERN_ERR "atm_destroy: %p->ref = %d\n",flow,
flow->ref);
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index a294542cb8e..ee2d5967d10 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -1748,10 +1748,12 @@ cbq_destroy(struct Qdisc* sch)
* classes from root to leafs which means that filters can still
* be bound to classes which have been destroyed already. --TGR '04
*/
- for (h = 0; h < 16; h++)
- for (cl = q->classes[h]; cl; cl = cl->next)
+ for (h = 0; h < 16; h++) {
+ for (cl = q->classes[h]; cl; cl = cl->next) {
tcf_destroy_chain(cl->filter_list);
-
+ cl->filter_list = NULL;
+ }
+ }
for (h = 0; h < 16; h++) {
struct cbq_class *next;