Patchwork bridge: bad error handling when adding invalid ether address

login
register
mail settings
Submitter stephen hemminger
Date March 26, 2009, 3:57 a.m.
Message ID <20090325205700.1a4a7fd6@nehalam>
Download mbox | patch
Permalink /patch/25126/
State Accepted
Delegated to: David Miller
Headers show

Comments

stephen hemminger - March 26, 2009, 3:57 a.m.
This fixes an crash when empty bond device is added to a bridge.
If an interface with invalid ethernet address (all zero) is added
to a bridge, then bridge code detects it when setting up the forward
databas entry. But the error unwind is broken, the bridge port object 
can get freed twice: once when ref count went to zeo, and once by kfree.
Since object is never really accessible, just free it.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

---
Patch against 2.6.29, but same code has been around for a while
in older releases, so should apply to 2.6.27.y as well.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - March 26, 2009, 4:01 a.m.
From: Stephen Hemminger <shemminger@vyatta.com>
Date: Wed, 25 Mar 2009 20:57:00 -0700

> This fixes an crash when empty bond device is added to a bridge.
> If an interface with invalid ethernet address (all zero) is added
> to a bridge, then bridge code detects it when setting up the forward
> databas entry. But the error unwind is broken, the bridge port object 
> can get freed twice: once when ref count went to zeo, and once by kfree.
> Since object is never really accessible, just free it.
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

--- a/net/bridge/br_if.c	2009-03-25 20:29:08.310404430 -0700
+++ b/net/bridge/br_if.c	2009-03-25 20:48:21.353468017 -0700
@@ -426,7 +426,6 @@  err2:
 err1:
 	kobject_del(&p->kobj);
 err0:
-	kobject_put(&p->kobj);
 	dev_set_promiscuity(dev, -1);
 put_back:
 	dev_put(dev);