@@ -685,22 +685,16 @@ void xenvif_deinit_queue(struct xenvif_queue *queue)
void xenvif_free(struct xenvif *vif)
{
- struct xenvif_queue *queue = NULL;
+ struct xenvif_queue *queues = vif->queues;
unsigned int num_queues = vif->num_queues;
unsigned int queue_index;
unregister_netdev(vif->dev);
-
- for (queue_index = 0; queue_index < num_queues; ++queue_index) {
- queue = &vif->queues[queue_index];
- xenvif_deinit_queue(queue);
- }
-
- vfree(vif->queues);
- vif->queues = NULL;
- vif->num_queues = 0;
-
free_netdev(vif->dev);
+ for (queue_index = 0; queue_index < num_queues; ++queue_index)
+ xenvif_deinit_queue(&queues[queue_index]);
+ vfree(queues);
+
module_put(THIS_MODULE);
}
If a queue still has a NAPI instance added to the net device, freeing the queues early results in a use-after-free. The shouldn't ever happen because we disconnect and tear down all queues before freeing the net device, but doing this makes it obviously safe. Signed-off-by: David Vrabel <david.vrabel@citrix.com> --- drivers/net/xen-netback/interface.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-)