[PATCH] staging: slicoss: fix use-after-free bug in slic_entry_remove

[David Matlack]

Fix a use-after-free bug that causes a null pointer dereference in
slic_entry_halt().

Since unregister_netdev() will ultimately call slic_entry_halt() (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory that is used by slic_entry_halt().
Specifically, slic_unmap_mmio_space() frees adapter->slic_regs, but
those registers are used in slic_entry_halt().

Signed-off-by: David Matlack <matlackdavid@xxxxxxxxx>
---
This patch was originally sent here https://lkml.org/lkml/2014/5/6/5 with
my google.com email address. But due to Google's recent change in DMARC
policies, that patchset was silently dropped for at least some users
(including my personal gmail account). So I'm sending it out now with
my gmail.com account. Let me know if this is an issue. Thanks.

 drivers/staging/slicoss/slicoss.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index d670490..b8eeb3b 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2526,9 +2526,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
 	struct sliccard *card;
 	struct mcast_address *mcaddr, *mlist;
 
+	unregister_netdev(dev);
+
 	slic_adapter_freeresources(adapter);
 	slic_unmap_mmio_space(adapter);
-	unregister_netdev(dev);
 
 	/* free multicast addresses */
 	mlist = adapter->mcastaddrs;
-- 
1.9.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/