slcan: Fix double-free on slcan_open() error path

Commit 9ebd796e24 ("can: slcan: Fix use-after-free Read in slcan_open") was incorrectly backported to 4.4 and 4.9 stable branches. Since they do not have commit cf124db566 ("net: Fix inconsistent teardown and release of private netdev state."), the destructor function slc_free_netdev() is already responsible for calling free_netdev() and slcan_open() must not call both of them. yangerkun previously fixed the same bug in slip. Fixes: ce624b2089ea ("can: slcan: Fix use-after-free Read in slcan_open") # 4.4 Fixes: f59604a80fa4 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.4 Fixes: 56635a1e6f ("can: slcan: Fix use-after-free Read in slcan_open") # 4.9 Fixes: a1c9b23142 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.9 Cc: yangerkun <yangerkun@huawei.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2026-06-06 19:08:57 +09:00 · 2020-06-02 18:54:18 +01:00
parent 7cea494b1f
commit a7e77ba0bb
1 changed files with 1 additions and 2 deletions
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -618,10 +618,9 @@ err_free_chan:
 	sl->tty = NULL;
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
-	slc_free_netdev(sl->dev);
 	/* do not call free_netdev before rtnl_unlock */
 	rtnl_unlock();
-	free_netdev(sl->dev);
+	slc_free_netdev(sl->dev);
 	return err;

 err_exit: