From patchwork Tue Dec 26 13:44:32 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gao Feng X-Patchwork-Id: 852974 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z5cg43Y8Wz9s9Y for ; Wed, 27 Dec 2017 00:45:04 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751091AbdLZNpB (ORCPT ); Tue, 26 Dec 2017 08:45:01 -0500 Received: from m181-177.vip.163.com ([123.58.177.181]:46917 "EHLO m181-177.vip.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750890AbdLZNpB (ORCPT ); Tue, 26 Dec 2017 08:45:01 -0500 Received: from ikuai8.com (unknown [114.246.129.251]) by smtp2 (Coremail) with SMTP id oWZ4CgBXUklAUkJaVtg4AA--.60567S2; Tue, 26 Dec 2017 21:44:46 +0800 (CST) From: gfree.wind@vip.163.com To: davem@davemloft.net, netdev@vger.kernel.org Cc: Gao Feng Subject: [PATCH net] macvlan: Fix one possible double free Date: Tue, 26 Dec 2017 21:44:32 +0800 Message-Id: <1514295872-120876-1-git-send-email-gfree.wind@vip.163.com> X-Mailer: git-send-email 1.9.1 X-CM-TRANSID: oWZ4CgBXUklAUkJaVtg4AA--.60567S2 X-Coremail-Antispam: 1Uf129KBjvdXoWruFyfuF18uw4rCFW7uw47XFb_yoWktwc_Cr 4Iqr17Ww1UCF15Kw17Cw4Yvry5Cr45Xw1kJ34Iq392ka4kXrWvgrZ3uanxX3ZrWry8Zr1D JFnrZr1xK347GjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU8F_M7UUUUU== X-Originating-IP: [114.246.129.251] X-CM-SenderInfo: 5jiuvvgozl0vg6yl1hqrwthudrp/1tbiCA66s1WFGz-13AAAsS Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Gao Feng Because the macvlan_uninit would free the macvlan port, so there is one double free case in macvlan_common_newlink. When the macvlan port is just created, then register_netdevice or netdev_upper_dev_link failed and they would invoke macvlan_uninit. Then it would reach the macvlan_port_destroy which triggers the double free. Signed-off-by: Gao Feng --- drivers/net/macvlan.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index a178c5e..a0f2be8 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -1444,9 +1444,14 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, return 0; unregister_netdev: + /* macvlan_uninit would free the macvlan port */ unregister_netdevice(dev); + return err; destroy_macvlan_port: - if (create) + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ + if (create && macvlan_port_get_rtnl(dev)) macvlan_port_destroy(port->dev); return err; }