[NET_SCHED]: Fix filter double free
authorPatrick McHardy <kaber@trash.net>
Tue, 5 Jun 2007 23:06:59 +0000 (16:06 -0700)
committerDavid S. Miller <davem@sunset.davemloft.net>
Thu, 7 Jun 2007 20:41:05 +0000 (13:41 -0700)
cbq and atm destroy their filters twice when destroying inner classes
during qdisc destruction.

Reported-and-tested-by: Strobl Anton <a.strobl@aws-it.at>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/sch_atm.c
net/sched/sch_cbq.c

index be7d299..d1c383f 100644 (file)
@@ -599,6 +599,7 @@ static void atm_tc_destroy(struct Qdisc *sch)
        /* races ? */
        while ((flow = p->flows)) {
                tcf_destroy_chain(flow->filter_list);
+               flow->filter_list = NULL;
                if (flow->ref > 1)
                        printk(KERN_ERR "atm_destroy: %p->ref = %d\n",flow,
                            flow->ref);
index a294542..ee2d596 100644 (file)
@@ -1748,10 +1748,12 @@ cbq_destroy(struct Qdisc* sch)
         * classes from root to leafs which means that filters can still
         * be bound to classes which have been destroyed already. --TGR '04
         */
-       for (h = 0; h < 16; h++)
-               for (cl = q->classes[h]; cl; cl = cl->next)
+       for (h = 0; h < 16; h++) {
+               for (cl = q->classes[h]; cl; cl = cl->next) {
                        tcf_destroy_chain(cl->filter_list);
-
+                       cl->filter_list = NULL;
+               }
+       }
        for (h = 0; h < 16; h++) {
                struct cbq_class *next;