[PATCH] staging: slicoss: fix use-after-free in slic_entry_probe

From: David Matlack
Date: Fri May 23 2014 - 00:27:45 EST

Next message: David Matlack: "[PATCH] staging: slicoss: remove unused members of struct adapter"
Previous message: David Matlack: "[PATCH] staging: slicoss: remove private netdev list"
Next in thread: David Matlack: "[PATCH] staging: slicoss: fix free-after-free in slic_entry_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix a use-after-free bug that can cause a kernel oops. If
slic_card_init fails then slic_entry_probe() (the pci probe()
function for this device) will return error without cleaning
up memory (including the registered netdev struct).

Signed-off-by: David Matlack <matlackdavid@xxxxxxxxx>
---
This patch was originally sent here https://lkml.org/lkml/2014/5/6/10 with
my google.com email address. But due to Google's recent change in DMARC
policies, that patchset was silently dropped for at least some users
(including my personal gmail account). So I'm sending it out now with
my gmail.com account. Let me know if this is an issue. Thanks.

drivers/staging/slicoss/slicoss.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index e27b88f..6113b90 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -3595,7 +3595,6 @@ static int slic_entry_probe(struct pci_dev *pcidev,
struct net_device *netdev;
struct adapter *adapter;
void __iomem *memmapped_ioaddr = NULL;
- u32 status = 0;
ulong mmio_start = 0;
ulong mmio_len = 0;
struct sliccard *card = NULL;
@@ -3686,16 +3685,11 @@ static int slic_entry_probe(struct pci_dev *pcidev,
adapter->allocated = 1;
}

- status = slic_card_init(card, adapter);
+ err = slic_card_init(card, adapter);
+ if (err)
+ goto err_out_unmap;

- if (status != 0) {
- card->state = CARD_FAIL;
- adapter->state = ADAPT_FAIL;
- adapter->linkstate = LINK_DOWN;
- dev_err(&pcidev->dev, "FAILED status[%x]\n", status);
- } else {
- slic_adapter_set_hwaddr(adapter);
- }
+ slic_adapter_set_hwaddr(adapter);

netdev->base_addr = (unsigned long)adapter->memorybase;
netdev->irq = adapter->irq;
@@ -3712,7 +3706,7 @@ static int slic_entry_probe(struct pci_dev *pcidev,

cards_found++;

- return status;
+ return 0;

err_out_unmap:
iounmap(memmapped_ioaddr);
--
1.9.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Matlack: "[PATCH] staging: slicoss: remove unused members of struct adapter"
Previous message: David Matlack: "[PATCH] staging: slicoss: remove private netdev list"
Next in thread: David Matlack: "[PATCH] staging: slicoss: fix free-after-free in slic_entry_remove"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]