From: t_jeang Date: Tue, 6 Jan 2009 12:06:05 +0000 (+0000) Subject: commit 3201e656ce56ed02e9501906c18ffe16ae350a52 X-Git-Tag: quiet-no-ufo X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=7aa16caf9d08e23d1f4bb9b77030947ef28e7c16;p=xenclient%2Fkernel.git commit 3201e656ce56ed02e9501906c18ffe16ae350a52 Author: Jay Vosburgh Date: Tue Jun 19 11:12:12 2007 -0700 bonding: Fix use after free in unregister path The following patch (based on a patch from Stephen Hemminger ) removes use after free conditions in the unregister path for the bonding master. Without this patch, an operation of the form "echo -bond0 > /sys/class/net/bonding_masters" would trigger a NULL pointer dereference in sysfs. I was not able to induce the failure with the non-sysfs code path, but for consistency I updated that code as well. I also did some testing of the bonding /proc file being open while the bond is being deleted, and didn't see any problems there. Signed-off-by: Jay Vosburgh Signed-off-by: Jeff Garzik --- diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index bdcb9654..d7c4a1f7 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4378,8 +4378,8 @@ static void bond_free_all(void) bond_mc_list_destroy(bond); /* Release the bonded slaves */ bond_release_all(bond_dev); - unregister_netdevice(bond_dev); bond_deinit(bond_dev); + unregister_netdevice(bond_dev); } #ifdef CONFIG_PROC_FS diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c index 6634d6ad..481f55ec 100644 --- a/drivers/net/bonding/bond_sysfs.c +++ b/drivers/net/bonding/bond_sysfs.c @@ -166,9 +166,9 @@ static ssize_t bonding_store_bonds(struct class *cls, const char *buffer, size_t printk(KERN_INFO DRV_NAME ": %s is being deleted...\n", bond->dev->name); - unregister_netdevice(bond->dev); bond_deinit(bond->dev); bond_destroy_sysfs_entry(bond); + unregister_netdevice(bond->dev); rtnl_unlock(); goto out; }