summaryrefslogtreecommitdiff
path: root/net/core/netpoll.c
diff options
context:
space:
mode:
authordavid decotigny <decot@googlers.com>2014-07-08 15:14:41 -0700
committerDavid S. Miller <davem@davemloft.net>2014-07-08 20:50:53 -0700
commitefa95b01da18ad22af62f6d99a3243f3be8fd264 (patch)
treec931e08ed3a660e859bdfc1afd1a2ac014485b8a /net/core/netpoll.c
parentf51de24356e49e4dcb5095e87717065580912120 (diff)
downloadlwn-efa95b01da18ad22af62f6d99a3243f3be8fd264.tar.gz
lwn-efa95b01da18ad22af62f6d99a3243f3be8fd264.zip
netpoll: fix use after free
After a bonding master reclaims the netpoll info struct, slaves could still hold a pointer to the reclaimed data. This patch fixes it: as soon as netpoll_async_cleanup is called for a slave (eg. when un-enslaved), we make sure that this slave doesn't point to the data. Signed-off-by: David Decotigny <decot@googlers.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/netpoll.c')
-rw-r--r--net/core/netpoll.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index e33937fb32a0..907fb5e36c02 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -822,7 +822,8 @@ void __netpoll_cleanup(struct netpoll *np)
RCU_INIT_POINTER(np->dev->npinfo, NULL);
call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info);
- }
+ } else
+ RCU_INIT_POINTER(np->dev->npinfo, NULL);
}
EXPORT_SYMBOL_GPL(__netpoll_cleanup);