macvlan: Fix one possible double free

[ Upstream commit d02fd6e7d2933ede6478a15f9e4ce8a93845824e ] Because the macvlan_uninit would free the macvlan port, so there is one double free case in macvlan_common_newlink. When the macvlan port is just created, then register_netdevice or netdev_upper_dev_link failed and they would invoke macvlan_uninit. Then it would reach the macvlan_port_destroy which triggers the double free. Signed-off-by: Gao Feng <gfree.wind@vip.163.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Gao Feng <gfree.wind@vip.163.com> 2017-12-26 21:44:32 +0800
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-03-03 10:23:26 +0100
commit: 88f72bd9f99fc2315acfde7a15a1a8eecb154bcb (patch)
tree: aa4b0bdead79290c17fba25df8dd43197ad15f8a
parent: c33d49420c5cdab3420a9516a04b988cb65ee9ad (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 6d55049cd3dc..e8ad4d060da7 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -1377,9 +1377,14 @@ int macvlan_common_newlink(struct net *src_net, struct net_device *dev,
 	return 0;
 
 unregister_netdev:
+	/* macvlan_uninit would free the macvlan port */
 	unregister_netdevice(dev);
+	return err;
 destroy_macvlan_port:
-	if (create)
+	/* the macvlan port may be freed by macvlan_uninit when fail to register.
+	 * so we destroy the macvlan port only when it's valid.
+	 */
+	if (create && macvlan_port_get_rtnl(dev))
 		macvlan_port_destroy(port->dev);
 	return err;
 }
author	Gao Feng <gfree.wind@vip.163.com>	2017-12-26 21:44:32 +0800
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-03-03 10:23:26 +0100
commit	88f72bd9f99fc2315acfde7a15a1a8eecb154bcb (patch)
tree	aa4b0bdead79290c17fba25df8dd43197ad15f8a
parent	c33d49420c5cdab3420a9516a04b988cb65ee9ad (diff)