[PATCH 7/7] staging: slicoss: fix use-after-free bug in slic_entry_remove

David Matlack dmatlack at google.com
Tue May 6 04:02:37 UTC 2014


This patch fixes a use-after-free bug that causes a null pointer
dereference in slic_entry_halt.

Since unregister_netdev() will ultimately call slic_entry_halt (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory used by slic_entry_halt.

Signed-off-by: David Matlack <dmatlack at google.com>
---
 drivers/staging/slicoss/slicoss.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index 55afe0d..96b29ec 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2526,9 +2526,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
 	struct sliccard *card;
 	struct mcast_address *mcaddr, *mlist;
 
+	unregister_netdev(dev);
+
 	slic_adapter_freeresources(adapter);
 	slic_unmap_mmio_space(adapter);
-	unregister_netdev(dev);
 
 	/* free multicast addresses */
 	mlist = adapter->mcastaddrs;
-- 
1.9.2



More information about the devel mailing list