urcu call_rcu: fix use after free()

call_rcu_after_fork_child() needs to use cds_list_for_each_entry_safe to
safely iterate on the list as its item is being freed.

Signed-off-by: Lai Jiangshan <laijs@cn.fujitsu.com>
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

diff --git a/urcu-call-rcu-impl.h b/urcu-call-rcu-impl.h
index 1fbce98e27cda467c9419e297275f01ad8e535fa..6cb08be5731299c0d3334face6296faf9a98d7e7 100644 (file)
--- a/urcu-call-rcu-impl.h
+++ b/urcu-call-rcu-impl.h
@@ -651,7 +651,7 @@ void call_rcu_after_fork_parent(void)
  */
 void call_rcu_after_fork_child(void)
 {
-       struct call_rcu_data *crdp;
+       struct call_rcu_data *crdp, *next;
 
        /* Release the mutex. */
        call_rcu_unlock(&call_rcu_mutex);
@@ -664,12 +664,9 @@ void call_rcu_after_fork_child(void)
        (void)get_default_call_rcu_data();
 
        /* Dispose of all of the rest of the call_rcu_data structures. */
-       while (call_rcu_data_list.next != call_rcu_data_list.prev) {
-               crdp = cds_list_entry(call_rcu_data_list.prev,
-                                     struct call_rcu_data, list);
+       cds_list_for_each_entry_safe(crdp, next, &call_rcu_data_list, list) {
                if (crdp == default_call_rcu_data)
-                       crdp = cds_list_entry(crdp->list.prev,
-                                             struct call_rcu_data, list);
+                       continue;
                uatomic_set(&crdp->flags, URCU_CALL_RCU_STOPPED);
                call_rcu_data_free(crdp);
        }