From: Jeff Hansen <x@jeffhansen.com>
Date: Mon, 28 Sep 2009 19:54:25 +0000 (-0700)
Subject: bridge: Fix double-free in br_add_if.
X-Git-Tag: archive/raspbian/4.9.13-1+rpi1~10^2~20253^2~261
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https:/%22bookmarks:///%22http:/www.example.com/cgi/%22https:/%22bookmarks:/?a=commitdiff_plain;h=30df94f800368a016d09ee672c9fcc20751d0260;p=linux-4.9.git

bridge: Fix double-free in br_add_if.

There is a potential double-kfree in net/bridge/br_if.c.  If br_fdb_insert
fails, then the kobject is put back (which calls kfree due to the kobject
release), and then kfree is called again on the net_bridge_port.  This
patch fixes the crash.

Thanks to Stephen Hemminger for the one-line fix.

Signed-off-by: Jeff Hansen <x@jeffhansen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 142ebac14176..b1b3b0fbf41c 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -432,6 +432,7 @@ err2:
 	br_fdb_delete_by_port(br, p, 1);
 err1:
 	kobject_put(&p->kobj);
+	p = NULL; /* kobject_put frees */
 err0:
 	dev_set_promiscuity(dev, -1);
 put_back: