From c457b106f14086bc1e0feab2eb8e27a3bcb87213 Mon Sep 17 00:00:00 2001
From: Simon Wilkinson <sxw@your-file-system.com>
Date: Tue, 19 Feb 2013 17:15:42 +0000
Subject: [PATCH] fstrace: Avoid accessing icl log after zapping it

The for loop in icl_EnumerateLogs looks up the next pointer in the
current entry after zapping it. Depending on reference counts, this
may result in us looking up freed memory.

Take a copy of the next point before zapping the current entry, just
in case.

Caught by clang-analyzer

Change-Id: If38f0af2b01c5b8ea00e68e4432c6ad5517578c8
Reviewed-on: http://gerrit.openafs.org/9190
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
---
 src/venus/fstrace.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/venus/fstrace.c b/src/venus/fstrace.c
index 2ed8e6ea3..56daa9392 100644
--- a/src/venus/fstrace.c
+++ b/src/venus/fstrace.c
@@ -1611,12 +1611,13 @@ icl_EnumerateLogs(int (*aproc)
 		    (char *name, void *arock, struct afs_icl_log * tp),
 		  void *arock)
 {
-    struct afs_icl_log *tp;
+    struct afs_icl_log *tp, *np;
     afs_int32 code;
 
     code = 0;
-    for (tp = afs_icl_allLogs; tp; tp = tp->nextp) {
+    for (tp = afs_icl_allLogs; tp; tp = np) {
 	tp->refCount++;		/* hold this guy */
+	np = tp->nextp;
 	code = (*aproc) (tp->name, arock, tp);
 	if (--tp->refCount == 0)
 	    icl_ZapLog(tp);
-- 
2.39.5