Message ID | 1514295872-120876-1-git-send-email-gfree.wind@vip.163.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Series | [net] macvlan: Fix one possible double free | expand |
aFrom: gfree.wind@vip.163.com Date: Tue, 26 Dec 2017 21:44:32 +0800 > From: Gao Feng <gfree.wind@vip.163.com> > > Because the macvlan_uninit would free the macvlan port, so there is one > double free case in macvlan_common_newlink. When the macvlan port is just > created, then register_netdevice or netdev_upper_dev_link failed and they > would invoke macvlan_uninit. Then it would reach the macvlan_port_destroy > which triggers the double free. > > Signed-off-by: Gao Feng <gfree.wind@vip.163.com> Applied.
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index a178c5e..a0f2be8 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -1444,9 +1444,14 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, return 0; unregister_netdev: + /* macvlan_uninit would free the macvlan port */ unregister_netdevice(dev); + return err; destroy_macvlan_port: - if (create) + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ + if (create && macvlan_port_get_rtnl(dev)) macvlan_port_destroy(port->dev); return err; }