veth: fix NULL dereference in veth_dellink()

commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one) added another NULL deref in veth_dellink(). # ip link add name veth1 type veth peer name veth0 # rmmod veth We crash because veth_dellink() is called twice, so we must take care of NULL peer. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>

veth: fix NULL dereference in veth_dellink()
commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one) added another NULL deref in veth_dellink(). # ip link add name veth1 type veth peer name veth0 # rmmod veth We crash because veth_dellink() is called twice, so we must take care of NULL peer. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet · David S. Miller
1 parent 715448ff52
Showing 1 changed file with 6 additions and 5 deletions Side-by-side Diff
drivers/net/veth.c
@@ -426,12 +426,13 @@
 	 * not being freed before one RCU grace period.
 	 */
 	RCU_INIT_POINTER(priv->peer, NULL);
-
-	priv = netdev_priv(peer);
-	RCU_INIT_POINTER(priv->peer, NULL);
-
 	unregister_netdevice_queue(dev, head);
-	unregister_netdevice_queue(peer, head);
+
+	if (peer) {
+		priv = netdev_priv(peer);
+		RCU_INIT_POINTER(priv->peer, NULL);
+		unregister_netdevice_queue(peer, head);
+	}
 }
  
 static const struct nla_policy veth_policy[VETH_INFO_MAX + 1] = {
...	...	@@ -426,12 +426,13 @@
426	426	* not being freed before one RCU grace period.
427	427	*/
428	428	RCU_INIT_POINTER(priv->peer, NULL);
429		-
430		- priv = netdev_priv(peer);
431		- RCU_INIT_POINTER(priv->peer, NULL);
432		-
433	429	unregister_netdevice_queue(dev, head);
434		- unregister_netdevice_queue(peer, head);
	430	+
	431	+ if (peer) {
	432	+ priv = netdev_priv(peer);
	433	+ RCU_INIT_POINTER(priv->peer, NULL);
	434	+ unregister_netdevice_queue(peer, head);
	435	+ }
435	436	}
436	437
437	438	static const struct nla_policy veth_policy[VETH_INFO_MAX + 1] = {