From 30df94f800368a016d09ee672c9fcc20751d0260 Mon Sep 17 00:00:00 2001 From: Jeff Hansen Date: Mon, 28 Sep 2009 12:54:25 -0700 Subject: bridge: Fix double-free in br_add_if. There is a potential double-kfree in net/bridge/br_if.c. If br_fdb_insert fails, then the kobject is put back (which calls kfree due to the kobject release), and then kfree is called again on the net_bridge_port. This patch fixes the crash. Thanks to Stephen Hemminger for the one-line fix. Signed-off-by: Jeff Hansen Signed-off-by: David S. Miller --- net/bridge/br_if.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net/bridge') diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index 142ebac14176..b1b3b0fbf41c 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c @@ -432,6 +432,7 @@ err2: br_fdb_delete_by_port(br, p, 1); err1: kobject_put(&p->kobj); + p = NULL; /* kobject_put frees */ err0: dev_set_promiscuity(dev, -1); put_back: -- cgit v1.2.3-59-g8ed1b