Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2df5a84 authored by David S. Miller's avatar David S. Miller
Browse files

net/caif: Fix dangling list pointer in freed object on error.



rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(),
cannot make state changes which need to be undone on failure.  There is
no cleanup mechanism available at this point.

So we have to add the caif private instance to the global list once we
are sure that register_netdev() has succedded in ->newlink().

Otherwise, if register_netdev() fails, the caller will invoke free_netdev()
and we will have a reference to freed up memory on the chnl_net_list.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 84e77a8b
Loading
Loading
Loading
Loading
+2 −2
Original line number Diff line number Diff line
@@ -394,9 +394,7 @@ static void ipcaif_net_setup(struct net_device *dev)
	priv->conn_req.sockaddr.u.dgm.connection_id = -1;
	priv->flowenabled = false;

	ASSERT_RTNL();
	init_waitqueue_head(&priv->netmgmt_wq);
	list_add(&priv->list_field, &chnl_net_list);
}


@@ -453,6 +451,8 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
	ret = register_netdevice(dev);
	if (ret)
		pr_warn("device rtml registration failed\n");
	else
		list_add(&caifdev->list_field, &chnl_net_list);
	return ret;
}