[PATCH] net/caif: Fix dangling list pointer in freed object on error.

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net/caif: Fix dangling list pointer in freed object on error.
@ 2011-02-08 22:33 David Miller
  0 siblings, 0 replies; only message in thread
From: David Miller @ 2011-02-08 22:33 UTC (permalink / raw)
  To: sjur.brandeland; +Cc: netdev

rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(),
cannot make state changes which need to be undone on failure.  There is
no cleanup mechanism available at this point.

So we have to add the caif private instance to the global list once we
are sure that register_netdev() has succedded in ->newlink().

Otherwise, if register_netdev() fails, the caller will invoke free_netdev()
and we will have a reference to freed up memory on the chnl_net_list.

Signed-off-by: David S. Miller <davem@davemloft.net>
---

Committed to net-2.6, I need this setup() invariant to be properly
followed tree-wide in order to fix another bug.

 net/caif/chnl_net.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index fa9dab3..6008d6d 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -394,9 +394,7 @@ static void ipcaif_net_setup(struct net_device *dev)
 	priv->conn_req.sockaddr.u.dgm.connection_id = -1;
 	priv->flowenabled = false;

-	ASSERT_RTNL();
 	init_waitqueue_head(&priv->netmgmt_wq);
-	list_add(&priv->list_field, &chnl_net_list);
 }

@@ -453,6 +451,8 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
 	ret = register_netdevice(dev);
 	if (ret)
 		pr_warn("device rtml registration failed\n");
+	else
+		list_add(&caifdev->list_field, &chnl_net_list);
 	return ret;
 }

-- 
1.7.4

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2011-02-08 22:32 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-08 22:33 [PATCH] net/caif: Fix dangling list pointer in freed object on error David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).