Message ID | 1360390249.6696.22.camel@edumazet-glaptop |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Eric Dumazet <erdnetdev@gmail.com> Date: Fri, 08 Feb 2013 22:10:49 -0800 > From: Eric Dumazet <edumazet@google.com> > > commit d0e2c55e7c940 (veth: avoid a NULL deref in veth_stats_one) > added another NULL deref in veth_dellink(). > > # ip link add name veth1 type veth peer name veth0 > # rmmod veth > > We crash because veth_dellink() is called twice, so we must > take care of NULL peer. > > Signed-off-by: Eric Dumazet <edumazet@google.com> Applied, thanks Eric. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/veth.c b/drivers/net/veth.c index e1da42a..07a4af0 100644 --- a/drivers/net/veth.c +++ b/drivers/net/veth.c @@ -426,12 +426,13 @@ static void veth_dellink(struct net_device *dev, struct list_head *head) * not being freed before one RCU grace period. */ RCU_INIT_POINTER(priv->peer, NULL); - - priv = netdev_priv(peer); - RCU_INIT_POINTER(priv->peer, NULL); - unregister_netdevice_queue(dev, head); - unregister_netdevice_queue(peer, head); + + if (peer) { + priv = netdev_priv(peer); + RCU_INIT_POINTER(priv->peer, NULL); + unregister_netdevice_queue(peer, head); + } } static const struct nla_policy veth_policy[VETH_INFO_MAX + 1] = {