From d212b4633c3a99561939f2d423eacf3263850bcd Mon Sep 17 00:00:00 2001 From: Haiyang Zhang Date: Wed, 23 Mar 2016 09:43:09 -0700 Subject: [PATCH] hv_netvsc: Fix accessing freed memory in netvsc_change_mtu() struct netvsc_device is freed in rndis_filter_device_remove(). So we save the nvdev->num_chn into a temp variable for later usage. (Please also include this patch into stable branch.) Signed-off-by: Haiyang Zhang Reviewed-by: K. Y. Srinivasan Signed-off-by: David S. Miller --- drivers/net/hyperv/netvsc_drv.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c index 08608499fa17..b8121eba33ff 100644 --- a/drivers/net/hyperv/netvsc_drv.c +++ b/drivers/net/hyperv/netvsc_drv.c @@ -858,6 +858,7 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu) struct netvsc_device *nvdev = hv_get_drvdata(hdev); struct netvsc_device_info device_info; int limit = ETH_DATA_LEN; + u32 num_chn; int ret = 0; if (nvdev == NULL || nvdev->destroy) @@ -873,6 +874,8 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu) if (ret) goto out; + num_chn = nvdev->num_chn; + nvdev->start_remove = true; rndis_filter_device_remove(hdev); @@ -883,7 +886,7 @@ static int netvsc_change_mtu(struct net_device *ndev, int mtu) memset(&device_info, 0, sizeof(device_info)); device_info.ring_size = ring_size; - device_info.num_chn = nvdev->num_chn; + device_info.num_chn = num_chn; device_info.max_num_vrss_chns = max_num_vrss_chns; rndis_filter_device_add(hdev, &device_info); -- 2.20.1