[PATCH] [bridge] Fix double-free in br_add_if.

From: Jeff Hansen
Date: Fri Sep 25 2009 - 18:58:17 EST


There is a potential double-kfree in net/bridge/br_if.c. If br_fdb_insert
fails, then the kobject is put back (which calls kfree due to the kobject
release), and then kfree is called again on the net_bridge_port. This
patch fixes the crash.

Thanks to Stephen Hemminger for the one-line fix.

Signed-off-by: Jeff Hansen <x@xxxxxxxxxxxxxx>
---
net/bridge/br_if.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index eb404dc..60726e5 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -425,6 +425,7 @@ err2:
br_fdb_delete_by_port(br, p, 1);
err1:
kobject_put(&p->kobj);
+ p = NULL; /* kobject_put frees */
err0:
dev_set_promiscuity(dev, -1);
put_back:
--
1.6.0.4

--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html