[PATCH 7/7] staging: slicoss: fix use-after-free bug in slic_entry_remove

From: David Matlack
Date: Tue May 06 2014 - 00:03:44 EST


This patch fixes a use-after-free bug that causes a null pointer
dereference in slic_entry_halt.

Since unregister_netdev() will ultimately call slic_entry_halt (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory used by slic_entry_halt.

Signed-off-by: David Matlack <dmatlack@xxxxxxxxxx>
---
drivers/staging/slicoss/slicoss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index 55afe0d..96b29ec 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2526,9 +2526,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
struct sliccard *card;
struct mcast_address *mcaddr, *mlist;

+ unregister_netdev(dev);
+
slic_adapter_freeresources(adapter);
slic_unmap_mmio_space(adapter);
- unregister_netdev(dev);

/* free multicast addresses */
mlist = adapter->mcastaddrs;
--
1.9.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/