• Daniel Lezcano's avatar
    [NET]: Fix free_netdev on register_netdev failure. · 93ee31f1
    Daniel Lezcano authored
    Point 1:
    The unregistering of a network device schedule a netdev_run_todo.
    This function calls dev->destructor when it is set and the
    destructor calls free_netdev.
    
    Point 2:
    In the case of an initialization of a network device the usual code
    is:
     * alloc_netdev
     * register_netdev
        -> if this one fails, call free_netdev and exit with error.
    
    Point 3:
    In the register_netdevice function at the later state, when the device
    is at the registered state, a call to the netdevice_notifiers is made.
    If one of the notification falls into an error, a rollback to the
    registered state is done using unregister_netdevice.
    
    Conclusion:
    When a network device fails to register during initialization because
    one network subsystem returned an error during a notification call
    chain, the network device is freed twice because of fact 1 and fact 2.
    The second free_netdev will be done with an invalid pointer.
    
    Proposed solution:
    The following patch move all the code of unregister_netdevice *except*
    the call to net_set_todo, to a new function "rollback_registered".
    
    The following functions are changed in this way:
     * register_netdevice: calls rollback_registered when a notification fails
     * unregister_netdevice: calls rollback_register + net_set_todo, the call
                             order to net_set_todo is changed because it is the
                             latest now. Since it justs add an element to a list
                             that should not break anything.
    Signed-off-by: default avatarDaniel Lezcano <dlezcano@fr.ibm.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    93ee31f1
dev.c 108 KB