bonding: fix error handling if slave is busy (v2)

If slave device already has a receive handler registered, then the
error unwind of bonding device enslave function is broken.

The following will leave a pointer to freed memory in the slave
device list, causing a later kernel panic.
# modprobe dummy
# ip li add dummy0-1 link dummy0 type macvlan
# modprobe bonding
# echo +dummy0 >/sys/class/net/bond0/bonding/slaves

The fix is to detach the slave (which removes it from the list)
in the unwind path.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Reviewed-by: Nicolas de Pesloüan <nicolas.2p.debian@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 0c0dacba1f51f52c4b4d21f923ba6f10c432f3c7..435984ad8b2f1a8bedd54ba49eb4269f3991bd3a 100644 (file)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1822,7 +1822,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
                                 "but new slave device does not support netpoll.\n",
                                 bond_dev->name);
                        res = -EBUSY;
-                       goto err_close;
+                       goto err_detach;
                }
        }
 #endif
@@ -1831,7 +1831,7 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
 
        res = bond_create_slave_symlinks(bond_dev, slave_dev);
        if (res)
-               goto err_close;
+               goto err_detach;
 
        res = netdev_rx_handler_register(slave_dev, bond_handle_frame,
                                         new_slave);
@@ -1852,6 +1852,11 @@ int bond_enslave(struct net_device *bond_dev, struct net_device *slave_dev)
 err_dest_symlinks:
        bond_destroy_slave_symlinks(bond_dev, slave_dev);
 
+err_detach:
+       write_lock_bh(&bond->lock);
+       bond_detach_slave(bond, new_slave);
+       write_unlock_bh(&bond->lock);
+
 err_close:
        dev_close(slave_dev);