From 4a658527271bce43afb1cf4feec89afe6716ca59 Mon Sep 17 00:00:00 2001 From: David Vrabel Date: Fri, 15 Jan 2016 14:55:35 +0000 Subject: xen-netback: delete NAPI instance when queue fails to initialize When xenvif_connect() fails it may leave a stale NAPI instance added to the device. Make sure we delete it in the error path. Signed-off-by: David Vrabel Signed-off-by: David S. Miller --- drivers/net/xen-netback/interface.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/net/xen-netback/interface.c') diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c index e7bd63eb2876..3bba6ceee132 100644 --- a/drivers/net/xen-netback/interface.c +++ b/drivers/net/xen-netback/interface.c @@ -615,6 +615,7 @@ err_tx_unbind: queue->tx_irq = 0; err_unmap: xenvif_unmap_frontend_rings(queue); + netif_napi_del(&queue->napi); err: module_put(THIS_MODULE); return err; -- cgit v1.2.3 From 9c6f3ffe8200327d1cf2aad2ff2b414adaacbe96 Mon Sep 17 00:00:00 2001 From: David Vrabel Date: Fri, 15 Jan 2016 14:55:36 +0000 Subject: xen-netback: free queues after freeing the net device If a queue still has a NAPI instance added to the net device, freeing the queues early results in a use-after-free. The shouldn't ever happen because we disconnect and tear down all queues before freeing the net device, but doing this makes it obviously safe. Signed-off-by: David Vrabel Signed-off-by: David S. Miller --- drivers/net/xen-netback/interface.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) (limited to 'drivers/net/xen-netback/interface.c') diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c index 3bba6ceee132..f5231a2dd2ac 100644 --- a/drivers/net/xen-netback/interface.c +++ b/drivers/net/xen-netback/interface.c @@ -685,22 +685,16 @@ void xenvif_deinit_queue(struct xenvif_queue *queue) void xenvif_free(struct xenvif *vif) { - struct xenvif_queue *queue = NULL; + struct xenvif_queue *queues = vif->queues; unsigned int num_queues = vif->num_queues; unsigned int queue_index; unregister_netdev(vif->dev); - - for (queue_index = 0; queue_index < num_queues; ++queue_index) { - queue = &vif->queues[queue_index]; - xenvif_deinit_queue(queue); - } - - vfree(vif->queues); - vif->queues = NULL; - vif->num_queues = 0; - free_netdev(vif->dev); + for (queue_index = 0; queue_index < num_queues; ++queue_index) + xenvif_deinit_queue(&queues[queue_index]); + vfree(queues); + module_put(THIS_MODULE); } -- cgit v1.2.3