Fix a use-after-free bug that causes a null pointer dereference in slic_entry_halt(). Since unregister_netdev() will ultimately call slic_entry_halt() (the net_device ndo_stop() virtual function for this device), we should call it before freeing the memory that is used by slic_entry_halt(). Specifically, slic_unmap_mmio_space() frees adapter->slic_regs, but those registers are used in slic_entry_halt(). Signed-off-by: David Matlack <matlackdavid@xxxxxxxxx> --- This patch was originally sent here https://lkml.org/lkml/2014/5/6/5 with my google.com email address. But due to Google's recent change in DMARC policies, that patchset was silently dropped for at least some users (including my personal gmail account). So I'm sending it out now with my gmail.com account. Let me know if this is an issue. Thanks. drivers/staging/slicoss/slicoss.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c index d670490..b8eeb3b 100644 --- a/drivers/staging/slicoss/slicoss.c +++ b/drivers/staging/slicoss/slicoss.c @@ -2526,9 +2526,10 @@ static void slic_entry_remove(struct pci_dev *pcidev) struct sliccard *card; struct mcast_address *mcaddr, *mlist; + unregister_netdev(dev); + slic_adapter_freeresources(adapter); slic_unmap_mmio_space(adapter); - unregister_netdev(dev); /* free multicast addresses */ mlist = adapter->mcastaddrs; -- 1.9.2 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
