bridge: Fix double-free in br_add_if.

There is a potential double-kfree in net/bridge/br_if.c.  If br_fdb_insert
fails, then the kobject is put back (which calls kfree due to the kobject
release), and then kfree is called again on the net_bridge_port.  This
patch fixes the crash.

Thanks to Stephen Hemminger for the one-line fix.

Signed-off-by: Jeff Hansen <x@jeffhansen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 142ebac141764b5deffdbde15c3c6510d6e4d770..b1b3b0fbf41c1b168c67f7ebdf93e3c8f9e32cf5 100644 (file)
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -432,6 +432,7 @@ err2:
        br_fdb_delete_by_port(br, p, 1);
 err1:
        kobject_put(&p->kobj);
+       p = NULL; /* kobject_put frees */
 err0:
        dev_set_promiscuity(dev, -1);
 put_back: