bonding: Fix use after free in unregister path
authorJay Vosburgh <fubar@us.ibm.com>
Tue, 19 Jun 2007 18:12:12 +0000 (11:12 -0700)
committerJeff Garzik <jeff@garzik.org>
Wed, 20 Jun 2007 23:12:41 +0000 (19:12 -0400)
The following patch (based on a patch from Stephen Hemminger
<shemminger@linux-foundation.org>) removes use after free conditions in
the unregister path for the bonding master.  Without this patch, an
operation of the form "echo -bond0 > /sys/class/net/bonding_masters"
would trigger a NULL pointer dereference in sysfs.  I was not able to
induce the failure with the non-sysfs code path, but for consistency I
updated that code as well.

I also did some testing of the bonding /proc file being open
while the bond is being deleted, and didn't see any problems there.

Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
drivers/net/bonding/bond_main.c
drivers/net/bonding/bond_sysfs.c

index 223517dcbcfd48ba48c75710d99b3eeb22ceaa46..6287ffbda7f794c4d2312bc421d4f12fb1b32456 100644 (file)
@@ -4345,8 +4345,8 @@ static void bond_free_all(void)
                bond_mc_list_destroy(bond);
                /* Release the bonded slaves */
                bond_release_all(bond_dev);
-               unregister_netdevice(bond_dev);
                bond_deinit(bond_dev);
+               unregister_netdevice(bond_dev);
        }
 
 #ifdef CONFIG_PROC_FS
index a122baa5c7bb937ebcc5c436d5710fe785ae3b61..60cccf2aa9594e5c98eefd4e93622fdf5257bec9 100644 (file)
@@ -164,9 +164,9 @@ static ssize_t bonding_store_bonds(struct class *cls, const char *buffer, size_t
                                printk(KERN_INFO DRV_NAME
                                        ": %s is being deleted...\n",
                                        bond->dev->name);
-                               unregister_netdevice(bond->dev);
                                bond_deinit(bond->dev);
                                bond_destroy_sysfs_entry(bond);
+                               unregister_netdevice(bond->dev);
                                rtnl_unlock();
                                goto out;
                        }