xen-netback: free queues after freeing the net device

If a queue still has a NAPI instance added to the net device, freeing
the queues early results in a use-after-free.

The shouldn't ever happen because we disconnect and tear down all queues
before freeing the net device, but doing this makes it obviously safe.

Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c
index 3bba6ce..f5231a2 100644 (file)
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -685,22 +685,16 @@ void xenvif_deinit_queue(struct xenvif_queue *queue)
 
 void xenvif_free(struct xenvif *vif)
 {
-       struct xenvif_queue *queue = NULL;
+       struct xenvif_queue *queues = vif->queues;
        unsigned int num_queues = vif->num_queues;
        unsigned int queue_index;
 
        unregister_netdev(vif->dev);
-
-       for (queue_index = 0; queue_index < num_queues; ++queue_index) {
-               queue = &vif->queues[queue_index];
-               xenvif_deinit_queue(queue);
-       }
-
-       vfree(vif->queues);
-       vif->queues = NULL;
-       vif->num_queues = 0;
-
        free_netdev(vif->dev);
 
+       for (queue_index = 0; queue_index < num_queues; ++queue_index)
+               xenvif_deinit_queue(&queues[queue_index]);
+       vfree(queues);
+
        module_put(THIS_MODULE);
 }