Commit 662ca437 authored by Jason Wang's avatar Jason Wang Committed by David S. Miller

tuntap: correctly handle error in tun_set_iff()

Commit c8d68e6b
(tuntap: multiqueue support) only call free_netdev() on error in
tun_set_iff(). This causes several issues:

- memory of tun security were leaked
- use after free since the flow gc timer was not deleted and the tfile
  were not detached

This patch solves the above issues.
Reported-by: default avatarWannes Rombouts <wannes.rombouts@epitech.eu>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a9677bc0
...@@ -1641,11 +1641,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) ...@@ -1641,11 +1641,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
INIT_LIST_HEAD(&tun->disabled); INIT_LIST_HEAD(&tun->disabled);
err = tun_attach(tun, file, false); err = tun_attach(tun, file, false);
if (err < 0) if (err < 0)
goto err_free_dev; goto err_free_flow;
err = register_netdevice(tun->dev); err = register_netdevice(tun->dev);
if (err < 0) if (err < 0)
goto err_free_dev; goto err_detach;
if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) ||
device_create_file(&tun->dev->dev, &dev_attr_owner) || device_create_file(&tun->dev->dev, &dev_attr_owner) ||
...@@ -1689,7 +1689,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) ...@@ -1689,7 +1689,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
strcpy(ifr->ifr_name, tun->dev->name); strcpy(ifr->ifr_name, tun->dev->name);
return 0; return 0;
err_free_dev: err_detach:
tun_detach_all(dev);
err_free_flow:
tun_flow_uninit(tun);
security_tun_dev_free_security(tun->security);
err_free_dev:
free_netdev(dev); free_netdev(dev);
return err; return err;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment