bridge: Fix double-free in br_add_if.

There is a potential double-kfree in net/bridge/br_if.c. If br_fdb_insert fails, then the kobject is put back (which calls kfree due to the kobject release), and then kfree is called again on the net_bridge_port. This patch fixes the crash. Thanks to Stephen Hemminger for the one-line fix. Signed-off-by: Jeff Hansen <x@jeffhansen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jeff Hansen <x@jeffhansen.com> 2009-09-28 15:54:25 -0400
committer: David S. Miller <davem@davemloft.net> 2009-09-28 15:54:25 -0400
commit: 30df94f800368a016d09ee672c9fcc20751d0260 (patch)
tree: 1626c98991a1c828d6d359100f5db5bb4e20a946
parent: 8823ad31cd3baf73bd21913cf030b9e7afd22923 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 142ebac14176..b1b3b0fbf41c 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -432,6 +432,7 @@ err2:
        br_fdb_delete_by_port(br, p, 1);
 err1:
        kobject_put(&p->kobj);
+        p = NULL; /* kobject_put frees */
 err0:
        dev_set_promiscuity(dev, -1);
 put_back:
author	Jeff Hansen <x@jeffhansen.com>	2009-09-28 15:54:25 -0400
committer	David S. Miller <davem@davemloft.net>	2009-09-28 15:54:25 -0400
commit	30df94f800368a016d09ee672c9fcc20751d0260 (patch)
tree	1626c98991a1c828d6d359100f5db5bb4e20a946
parent	8823ad31cd3baf73bd21913cf030b9e7afd22923 (diff)

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index 142ebac14176..b1b3b0fbf41c 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c
@@ -432,6 +432,7 @@ err2:
432	br_fdb_delete_by_port(br, p, 1);	432	br_fdb_delete_by_port(br, p, 1);
433	err1:	433	err1:
434	kobject_put(&p->kobj);	434	kobject_put(&p->kobj);
		435	p = NULL; /* kobject_put frees */
435	err0:	436	err0:
436	dev_set_promiscuity(dev, -1);	437	dev_set_promiscuity(dev, -1);
437	put_back:	438	put_back: