net/caif: Fix dangling list pointer in freed object on error.

rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(), cannot make state changes which need to be undone on failure. There is no cleanup mechanism available at this point. So we have to add the caif private instance to the global list once we are sure that register_netdev() has succedded in ->newlink(). Otherwise, if register_netdev() fails, the caller will invoke free_netdev() and we will have a reference to freed up memory on the chnl_net_list. Signed-off-by: David S. Miller <[email protected]>
mna · Feb 8, 2011 · b2df5a8 · b2df5a8
1 parent 84e77a8
commit b2df5a8
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
@@ -394,9 +394,7 @@ static void ipcaif_net_setup(struct net_device *dev)
 	priv->conn_req.sockaddr.u.dgm.connection_id = -1;
 	priv->flowenabled = false;
 
-	ASSERT_RTNL();
 	init_waitqueue_head(&priv->netmgmt_wq);
-	list_add(&priv->list_field, &chnl_net_list);
 }
 
 
@@ -453,6 +451,8 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
 	ret = register_netdevice(dev);
 	if (ret)
 		pr_warn("device rtml registration failed\n");
+	else
+		list_add(&caifdev->list_field, &chnl_net_list);
 	return ret;
 }