From 39435725ace48273700b55def25b2358f66ff398 Mon Sep 17 00:00:00 2001
From: Pravin B Shelar <pshelar@nicira.com>
Date: Thu, 7 Jun 2012 15:18:17 -0700
Subject: [PATCH] datapath: Fix use-after-free bug in dp_notify.

dp_notify, in unregister case, is accessing vport after detaching
it. Following patch fixes it.

Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
Acked-by: Jesse Gross <jesse@nicira.com>
---
 datapath/dp_notify.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/datapath/dp_notify.c b/datapath/dp_notify.c
index 683f624d..13085d66 100644
--- a/datapath/dp_notify.c
+++ b/datapath/dp_notify.c
@@ -41,18 +41,19 @@ static int dp_device_event(struct notifier_block *unused, unsigned long event,
 	case NETDEV_UNREGISTER:
 		if (!ovs_is_internal_dev(dev)) {
 			struct sk_buff *notify;
+			struct datapath *dp = vport->dp;
 
 			notify = ovs_vport_cmd_build_info(vport, 0, 0,
 							  OVS_VPORT_CMD_DEL);
 			ovs_dp_detach_port(vport);
 			if (IS_ERR(notify)) {
-				netlink_set_err(GENL_SOCK(ovs_dp_get_net(vport->dp)), 0,
+				netlink_set_err(GENL_SOCK(ovs_dp_get_net(dp)), 0,
 						ovs_dp_vport_multicast_group.id,
 						PTR_ERR(notify));
 				break;
 			}
 
-			genlmsg_multicast_netns(ovs_dp_get_net(vport->dp), notify, 0,
+			genlmsg_multicast_netns(ovs_dp_get_net(dp), notify, 0,
 						ovs_dp_vport_multicast_group.id,
 						GFP_KERNEL);
 		}
-- 
2.30.2