commit 9b5e383c11b08784 (net: Introduce unregister_netdevice_many()) left an active LIST_HEAD() in rollback_registered(), with possible memory corruption.
Even if device is freed without touching its unreg_list (and therefore touching the previous memory location holding LISTE_HEAD(single), better close the bug for good, since its really subtle. (Same fix for default_device_exit_batch() for completeness) Reported-by: Michal Hocko <[email protected]> Reported-by: Eric W. Biderman <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Eric Dumazet <[email protected]> CC: Ingo Molnar <[email protected]> CC: Octavian Purdila <[email protected]> CC: Eric W. Biderman <[email protected]> CC: stable <[email protected]> [.33+] --- net/core/dev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/core/dev.c b/net/core/dev.c index a18c164..8ae6631 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -5066,6 +5066,7 @@ static void rollback_registered(struct net_device *dev) list_add(&dev->unreg_list, &single); rollback_registered_many(&single); + list_del(&single); } unsigned long netdev_fix_features(unsigned long features, const char *name) @@ -6219,6 +6220,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list) } } unregister_netdevice_many(&dev_kill_list); + list_del(&dev_kill_list); rtnl_unlock(); } _______________________________________________ stable mailing list [email protected] http://linux.kernel.org/mailman/listinfo/stable
