There is a potential double-kfree in net/bridge/br_if.c. If br_fdb_insert
fails, then the kobject is put back (which calls kfree due to the kobject
release), and then kfree is called again on the net_bridge_port. This
patch fixes the crash.
Signed-off-by: Jeff Hansen <x@xxxxxxxxxxxxxx>
---
net/bridge/br_if.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index eb404dc..1becec1 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -368,7 +368,7 @@ done:
int br_add_if(struct net_bridge *br, struct net_device *dev)
{
struct net_bridge_port *p;
- int err = 0;
+ int err = 0, kobj_initted = 0;
if (dev->flags & IFF_LOOPBACK || dev->type != ARPHRD_ETHER)
return -EINVAL;
@@ -391,6 +391,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
SYSFS_BRIDGE_PORT_ATTR);
if (err)
goto err0;
+ kobj_initted = 1;
err = br_fdb_insert(br, p, dev->dev_addr);
if (err)
@@ -429,7 +430,8 @@ err0:
dev_set_promiscuity(dev, -1);
put_back:
dev_put(dev);
- kfree(p);
+ if (!kobj_initted)
+ kfree(p);
return err;
}
--
1.6.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
