From: Ido Schimmel Date: Fri, 30 Oct 2015 16:46:19 +0000 (+0100) Subject: bridge: vlan: Prevent possible use-after-free X-Git-Tag: firefly_0821_release~176^2~818^2~25^2~1 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=07bc588fc1087929e8e6dfe95ffcee1cb69a240f;p=firefly-linux-kernel-4.4.55.git bridge: vlan: Prevent possible use-after-free When adding a port to a bridge we initialize VLAN filtering on it. We do not bail out in case an error occurred in nbp_vlan_init, as it can be used as a non VLAN filtering bridge. However, if VLAN filtering is required and an error occurred in nbp_vlan_init, we should set vlgrp to NULL, so that VLAN filtering functions (e.g. br_vlan_find, br_get_pvid) will know the struct is invalid and will not try to access it. Signed-off-by: Ido Schimmel Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller --- diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index 5f0d0cc4744f..1054696323d7 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -914,6 +914,8 @@ out: return ret; err_vlan_add: + RCU_INIT_POINTER(p->vlgrp, NULL); + synchronize_rcu(); rhashtable_destroy(&vg->vlan_hash); err_rhtbl: kfree(vg);