From: Roy Li <rongqing.li@windriver.com>
Date: Tue, 20 Sep 2011 19:10:16 +0000 (-0400)
Subject: ipv6: fix a possible double free
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=8603e33d01cb6bd32de46b2596fe47f0c4df6c12;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git

ipv6: fix a possible double free

When calling snmp6_alloc_dev fails, the snmp6 relevant memory
are freed by snmp6_alloc_dev. Calling in6_dev_finish_destroy
will free these memory twice.

Double free will lead that undefined behavior occurs.

Signed-off-by: Roy Li <rongqing.li@windriver.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f012ebd87b4..12368c58606 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -374,8 +374,8 @@ static struct inet6_dev * ipv6_add_dev(struct net_device *dev)
 			"%s(): cannot allocate memory for statistics; dev=%s.\n",
 			__func__, dev->name));
 		neigh_parms_release(&nd_tbl, ndev->nd_parms);
-		ndev->dead = 1;
-		in6_dev_finish_destroy(ndev);
+		dev_put(dev);
+		kfree(ndev);
 		return NULL;
 	}