diff options
author | Eric Dumazet <edumazet@google.com> | 2013-02-08 20:10:49 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-02-10 20:41:43 -0500 |
commit | f45a5c267da35174e22cec955093a7513dc1623d (patch) | |
tree | 1853900d36f56c6683d26ea33d06add8cbe2fea7 /drivers | |
parent | 715448ff52e71ed055f352ffcba1ab8e4455ff99 (diff) | |
download | op-kernel-dev-f45a5c267da35174e22cec955093a7513dc1623d.zip op-kernel-dev-f45a5c267da35174e22cec955093a7513dc1623d.tar.gz |
veth: fix NULL dereference in veth_dellink()
commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one)
added another NULL deref in veth_dellink().
# ip link add name veth1 type veth peer name veth0
# rmmod veth
We crash because veth_dellink() is called twice, so we must
take care of NULL peer.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/net/veth.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/net/veth.c b/drivers/net/veth.c index e1da42a..07a4af0 100644 --- a/drivers/net/veth.c +++ b/drivers/net/veth.c @@ -426,12 +426,13 @@ static void veth_dellink(struct net_device *dev, struct list_head *head) * not being freed before one RCU grace period. */ RCU_INIT_POINTER(priv->peer, NULL); - - priv = netdev_priv(peer); - RCU_INIT_POINTER(priv->peer, NULL); - unregister_netdevice_queue(dev, head); - unregister_netdevice_queue(peer, head); + + if (peer) { + priv = netdev_priv(peer); + RCU_INIT_POINTER(priv->peer, NULL); + unregister_netdevice_queue(peer, head); + } } static const struct nla_policy veth_policy[VETH_INFO_MAX + 1] = { |