From: Gao Feng Date: Tue, 26 Dec 2017 13:44:32 +0000 (+0800) Subject: macvlan: Fix one possible double free X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f22fec25935dee1dd769c84f100b173e1565c335;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git macvlan: Fix one possible double free [ Upstream commit d02fd6e7d2933ede6478a15f9e4ce8a93845824e ] Because the macvlan_uninit would free the macvlan port, so there is one double free case in macvlan_common_newlink. When the macvlan port is just created, then register_netdevice or netdev_upper_dev_link failed and they would invoke macvlan_uninit. Then it would reach the macvlan_port_destroy which triggers the double free. Signed-off-by: Gao Feng Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index fb1c9e095d0c..176fc0906bfe 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -1441,9 +1441,14 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev, return 0; unregister_netdev: + /* macvlan_uninit would free the macvlan port */ unregister_netdevice(dev); + return err; destroy_macvlan_port: - if (create) + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ + if (create && macvlan_port_get_rtnl(dev)) macvlan_port_destroy(port->dev); return err; }