Commit b2df5a84 authored Feb 08, 2011 by David S. Miller

net/caif: Fix dangling list pointer in freed object on error.

rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(),
cannot make state changes which need to be undone on failure. There is
no cleanup mechanism available at this point.

So we have to add the caif private instance to the global list once we
are sure that register_netdev() has succedded in ->newlink().

Otherwise, if register_netdev() fails, the caller will invoke free_netdev()
and we will have a reference to freed up memory on the chnl_net_list.

Signed-off-by: David S. Miller <davem@davemloft.net>

parent 84e77a8b

net/caif/chnl_net.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -394,9 +394,7 @@ static void ipcaif_net_setup(struct net_device *dev)
		priv->conn_req.sockaddr.u.dgm.connection_id = -1;
		priv->flowenabled = false;

		ASSERT_RTNL();
		init_waitqueue_head(&priv->netmgmt_wq);
		list_add(&priv->list_field, &chnl_net_list);
		}


		@@ -453,6 +451,8 @@ static int ipcaif_newlink(struct net src_net, struct net_device dev,
		ret = register_netdevice(dev);
		if (ret)
		pr_warn("device rtml registration failed\n");
		else
		list_add(&caifdev->list_field, &chnl_net_list);
		return ret;
		}