The net device ndev is freed via free_netdev when failing to register
the device. The control flow then jumps to the error handling code
block. ndev is used and freed again. Resulting in a use-after-free bug.
Signed-off-by: Pan Bian <[email protected]>
---
drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
index be268dc..f9a4e76 100644
--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
+++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
@@ -915,10 +915,8 @@ static int hip04_mac_probe(struct platform_device *pdev)
}
ret = register_netdev(ndev);
- if (ret) {
- free_netdev(ndev);
+ if (ret)
goto alloc_fail;
- }
return 0;
--
2.7.4
From: Pan Bian <[email protected]>
Date: Wed, 28 Nov 2018 15:30:24 +0800
> The net device ndev is freed via free_netdev when failing to register
> the device. The control flow then jumps to the error handling code
> block. ndev is used and freed again. Resulting in a use-after-free bug.
>
> Signed-off-by: Pan Bian <[email protected]>
Applied.