From: David Matlack <dmatlack@google.com>
To: gregkh@linuxfoundation.org
Cc: liodot@gmail.com, charrer@alacritech.com,
linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
David Matlack <dmatlack@google.com>
Subject: [PATCH 1/7] staging: slicoss: fix use-after-free in slic_entry_probe
Date: Mon, 5 May 2014 21:02:31 -0700 [thread overview]
Message-ID: <1399348957-16663-2-git-send-email-dmatlack@google.com> (raw)
In-Reply-To: <1399348957-16663-1-git-send-email-dmatlack@google.com>
This patch fixes a use-after-free bug that can cause a kernel
oops. If slic_card_init fails then slic_entry_probe (the pci
probe() function for this device) will return error without
cleaning up memory.
Signed-off-by: David Matlack <dmatlack@google.com>
---
drivers/staging/slicoss/slicoss.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index e27b88f..6113b90 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -3595,7 +3595,6 @@ static int slic_entry_probe(struct pci_dev *pcidev,
struct net_device *netdev;
struct adapter *adapter;
void __iomem *memmapped_ioaddr = NULL;
- u32 status = 0;
ulong mmio_start = 0;
ulong mmio_len = 0;
struct sliccard *card = NULL;
@@ -3686,16 +3685,11 @@ static int slic_entry_probe(struct pci_dev *pcidev,
adapter->allocated = 1;
}
- status = slic_card_init(card, adapter);
+ err = slic_card_init(card, adapter);
+ if (err)
+ goto err_out_unmap;
- if (status != 0) {
- card->state = CARD_FAIL;
- adapter->state = ADAPT_FAIL;
- adapter->linkstate = LINK_DOWN;
- dev_err(&pcidev->dev, "FAILED status[%x]\n", status);
- } else {
- slic_adapter_set_hwaddr(adapter);
- }
+ slic_adapter_set_hwaddr(adapter);
netdev->base_addr = (unsigned long)adapter->memorybase;
netdev->irq = adapter->irq;
@@ -3712,7 +3706,7 @@ static int slic_entry_probe(struct pci_dev *pcidev,
cards_found++;
- return status;
+ return 0;
err_out_unmap:
iounmap(memmapped_ioaddr);
--
1.9.2
next prev parent reply other threads:[~2014-05-06 4:06 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-06 4:02 [PATCH 0/7] staging: slicoss: bug fixes to stabilize driver David Matlack
2014-05-06 4:02 ` David Matlack [this message]
2014-05-06 4:02 ` [PATCH 2/7] staging: slicoss: fix multiple free-after-free in slic_entry_remove David Matlack
2014-05-06 4:02 ` [PATCH 3/7] staging: slicoss: remove unused members of struct adapter David Matlack
2014-05-06 4:02 ` [PATCH 4/7] staging: slicoss: remove gratuitous debug infrastructure David Matlack
2014-05-06 4:02 ` [PATCH 5/7] staging: slicoss: fix dma memory leak David Matlack
2014-05-06 4:02 ` [PATCH 6/7] staging: slicoss: fix 64-bit isr address bug David Matlack
2014-05-06 4:02 ` [PATCH 7/7] staging: slicoss: fix use-after-free bug in slic_entry_remove David Matlack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1399348957-16663-2-git-send-email-dmatlack@google.com \
--to=dmatlack@google.com \
--cc=charrer@alacritech.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liodot@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox