[CRIU] [PATCH 2/7] irmap: don't access a released variable

[Andrey Vagin]

From: Andrew Vagin <avagin at virtuozzo.com>

p = &(*p)->next
c = *p;
*p = c->next;
xfree(c);
p = &(*p)->next
     ||
     \/
p = &c->next
*p = c->next;
xfree(c);
p = &(*p)->next

Signed-off-by: Andrew Vagin <avagin at virtuozzo.com>
---
 criu/irmap.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/criu/irmap.c b/criu/irmap.c
index c93a995..b855353 100644
--- a/criu/irmap.c
+++ b/criu/irmap.c
@@ -189,7 +189,7 @@ static struct irmap *irmap_scan(struct irmap *t, unsigned int dev, unsigned long
 	return NULL;
 }
 
-static int irmap_revalidate(struct irmap *c, struct irmap **p)
+static int irmap_revalidate(struct irmap *c)
 {
 	struct stat st;
 	int mntns_root;
@@ -213,7 +213,6 @@ static int irmap_revalidate(struct irmap *c, struct irmap **p)
 
 invalid:
 	pr_debug("\t%x:%lx is invalid\n", c->dev, c->ino);
-	*p = c->next;
 	xfree(c->path);
 	xfree(c);
 	return 1;
@@ -223,7 +222,7 @@ static bool doing_predump = false;
 
 char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
 {
-	struct irmap *c, *h, **p;
+	struct irmap *c, *h, *n;
 	char *path = NULL;
 	int hv;
 	struct irmap_path_opt *o;
@@ -243,12 +242,12 @@ char *irmap_lookup(unsigned int s_dev, unsigned long i_ino)
 	timing_start(TIME_IRMAP_RESOLVE);
 
 	hv = irmap_hashfn(s_dev, i_ino);
-	for (p = &cache[hv]; *p; p = &(*p)->next) {
-		c = *p;
+	for (c = cache[hv], n = c ? c->next : NULL;
+				c; c = n, n = c ? c->next : NULL) {
 		if (!(c->dev == s_dev && c->ino == i_ino))
 			continue;
 
-		if (c->revalidate && irmap_revalidate(c, p))
+		if (c->revalidate && irmap_revalidate(c))
 			continue;
 
 		pr_debug("\tFound %s in cache\n", c->path);
-- 
2.5.0