From: David Matlack <dmatlack@google.com>
Date: Tue, 6 May 2014 04:02:37 +0000 (-0700)
Subject: staging: slicoss: fix use-after-free bug in slic_entry_remove
X-Git-Tag: firefly_0821_release~176^2~3465^2~39^2~563
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=dedabbbcb5ed7c75664b4ca66a525c09fe6acf12;p=firefly-linux-kernel-4.4.55.git

staging: slicoss: fix use-after-free bug in slic_entry_remove

This patch fixes a use-after-free bug that causes a null pointer
dereference in slic_entry_halt.

Since unregister_netdev() will ultimately call slic_entry_halt (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory used by slic_entry_halt.

Signed-off-by: David Matlack <dmatlack@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index fde0ff97f5fb..3010501120d2 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2525,9 +2525,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
 	struct sliccard *card;
 	struct mcast_address *mcaddr, *mlist;
 
+	unregister_netdev(dev);
+
 	slic_adapter_freeresources(adapter);
 	slic_unmap_mmio_space(adapter);
-	unregister_netdev(dev);
 
 	/* free multicast addresses */
 	mlist = adapter->mcastaddrs;