[CRIU] [PATCH 3/8] cgroups: fix use_after_free issue

Fri Oct 31 11:41:30 PDT 2014

On Fri, Oct 31, 2014 at 05:50:45PM +0300, Andrey Vagin wrote:
> list_for_each_entry_safe() should be used, you we are going to delete
> something from a list.
> 
> CID 73383 (#1 of 1): Read from pointer after free (USE_AFTER_FREE)
> 4. deref_after_free: Dereferencing freed pointer prop.
> 
> Cc: Tycho Andersen <tycho.andersen at canonical.com>

Acked-by: Tycho Andersen <tycho.andersen at canonical.com>

> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> ---
>  cgroup.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/cgroup.c b/cgroup.c
> index a4ea474..fb5c8ac 100644
> --- a/cgroup.c
> +++ b/cgroup.c
> @@ -366,9 +366,10 @@ static void free_cgroup_prop(struct cgroup_prop *prop)
>  
>  static void free_all_cgroup_props(struct cgroup_dir *ncd)
>  {
> -	struct cgroup_prop *prop;
> +	struct cgroup_prop *prop, *t;
>  
> -	list_for_each_entry(prop, &ncd->properties, list) {
> +	list_for_each_entry_safe(prop, t, &ncd->properties, list) {
> +		list_del(&prop->list);
>  		free_cgroup_prop(prop);
>  	}
>  
> -- 
> 1.9.3
>