From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Fri, 29 Jun 2018 18:49:24 +0000 (-0500)
Subject: PCI: endpoint: Use after free in pci_epf_unregister_driver()
X-Git-Tag: v5.15~8343^2~18
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fb0de5b8dcc68da4a0d39b0f5fcd5368085ad7c1;p=platform%2Fkernel%2Flinux-starfive.git

PCI: endpoint: Use after free in pci_epf_unregister_driver()

We need to use list_for_each_entry_safe() because the
pci_ep_cfs_remove_epf_group() function frees "group".

Fixes: ef1433f717a2 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
---

diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c
index 523a8ca..bf53fad 100644
--- a/drivers/pci/endpoint/pci-epf-core.c
+++ b/drivers/pci/endpoint/pci-epf-core.c
@@ -145,10 +145,10 @@ EXPORT_SYMBOL_GPL(pci_epf_alloc_space);
  */
 void pci_epf_unregister_driver(struct pci_epf_driver *driver)
 {
-	struct config_group *group;
+	struct config_group *group, *tmp;
 
 	mutex_lock(&pci_epf_mutex);
-	list_for_each_entry(group, &driver->epf_group, group_entry)
+	list_for_each_entry_safe(group, tmp, &driver->epf_group, group_entry)
 		pci_ep_cfs_remove_epf_group(group);
 	list_del(&driver->epf_group);
 	mutex_unlock(&pci_epf_mutex);