Commit b2df5a8446e135f7648736b8bec8179c88ce360d
1 parent
84e77a8bc7
Exists in
master
and in
4 other branches
net/caif: Fix dangling list pointer in freed object on error.
rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(), cannot make state changes which need to be undone on failure. There is no cleanup mechanism available at this point. So we have to add the caif private instance to the global list once we are sure that register_netdev() has succedded in ->newlink(). Otherwise, if register_netdev() fails, the caller will invoke free_netdev() and we will have a reference to freed up memory on the chnl_net_list. Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
net/caif/chnl_net.c
| ... | ... | @@ -394,9 +394,7 @@ |
| 394 | 394 | priv->conn_req.sockaddr.u.dgm.connection_id = -1; |
| 395 | 395 | priv->flowenabled = false; |
| 396 | 396 | |
| 397 | - ASSERT_RTNL(); | |
| 398 | 397 | init_waitqueue_head(&priv->netmgmt_wq); |
| 399 | - list_add(&priv->list_field, &chnl_net_list); | |
| 400 | 398 | } |
| 401 | 399 | |
| 402 | 400 | |
| ... | ... | @@ -453,6 +451,8 @@ |
| 453 | 451 | ret = register_netdevice(dev); |
| 454 | 452 | if (ret) |
| 455 | 453 | pr_warn("device rtml registration failed\n"); |
| 454 | + else | |
| 455 | + list_add(&caifdev->list_field, &chnl_net_list); | |
| 456 | 456 | return ret; |
| 457 | 457 | } |
| 458 | 458 |