[PATCH] staging: slicoss: fix use-after-free in slic_entry_probe

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: David Matlack <matlackdavid@gmail.com>
To: gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org, devel@driverdev.osuosl.org,
	liodot@gmail.com, charrer@alacritech.com,
	David Matlack <matlackdavid@gmail.com>
Subject: [PATCH] staging: slicoss: fix use-after-free in slic_entry_probe
Date: Thu, 22 May 2014 21:25:40 -0700	[thread overview]
Message-ID: <1400819147-14236-1-git-send-email-matlackdavid@gmail.com> (raw)

Fix a use-after-free bug that can cause a kernel oops. If
slic_card_init fails then slic_entry_probe() (the pci probe()
function for this device) will return error without cleaning
up memory (including the registered netdev struct).

Signed-off-by: David Matlack <matlackdavid@gmail.com>
---
This patch was originally sent here https://lkml.org/lkml/2014/5/6/10 with
my google.com email address. But due to Google's recent change in DMARC
policies, that patchset was silently dropped for at least some users
(including my personal gmail account). So I'm sending it out now with
my gmail.com account. Let me know if this is an issue. Thanks.

 drivers/staging/slicoss/slicoss.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index e27b88f..6113b90 100644
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -3595,7 +3595,6 @@ static int slic_entry_probe(struct pci_dev *pcidev,
 	struct net_device *netdev;
 	struct adapter *adapter;
 	void __iomem *memmapped_ioaddr = NULL;
-	u32 status = 0;
 	ulong mmio_start = 0;
 	ulong mmio_len = 0;
 	struct sliccard *card = NULL;
@@ -3686,16 +3685,11 @@ static int slic_entry_probe(struct pci_dev *pcidev,
 		adapter->allocated = 1;
 	}
 
-	status = slic_card_init(card, adapter);
+	err = slic_card_init(card, adapter);
+	if (err)
+		goto err_out_unmap;
 
-	if (status != 0) {
-		card->state = CARD_FAIL;
-		adapter->state = ADAPT_FAIL;
-		adapter->linkstate = LINK_DOWN;
-		dev_err(&pcidev->dev, "FAILED status[%x]\n", status);
-	} else {
-		slic_adapter_set_hwaddr(adapter);
-	}
+	slic_adapter_set_hwaddr(adapter);
 
 	netdev->base_addr = (unsigned long)adapter->memorybase;
 	netdev->irq = adapter->irq;
@@ -3712,7 +3706,7 @@ static int slic_entry_probe(struct pci_dev *pcidev,
 
 	cards_found++;
 
-	return status;
+	return 0;
 
 err_out_unmap:
 	iounmap(memmapped_ioaddr);
-- 
1.9.2

next             reply	other threads:[~2014-05-23  4:26 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-23  4:25 David Matlack [this message]
2014-05-23  4:25 ` [PATCH] staging: slicoss: fix free-after-free in slic_entry_remove David Matlack
2014-05-23  4:25 ` [PATCH] staging: slicoss: remove unused members of struct adapter David Matlack
2014-05-23  4:25 ` [PATCH] staging: slicoss: remove gratuitous debug infrastructure David Matlack
2014-05-23  4:25 ` [PATCH] staging: slicoss: fix 64-bit isr address bug David Matlack
2014-05-23  4:25 ` [PATCH] staging: slicoss: fix use-after-free bug in slic_entry_remove David Matlack
2014-05-23  4:25 ` [PATCH] staging: slicoss: remove private netdev list David Matlack
2014-05-23 20:11   ` David Matlack
2014-05-23 22:17     ` Greg KH
2014-05-23  4:25 ` [PATCH] staging: slicoss: clean up use of dev_err David Matlack
2014-05-23 20:14   ` David Matlack
2014-05-23 11:14 ` [PATCH] staging: slicoss: fix use-after-free in slic_entry_probe Greg KH
2014-05-23 20:07   ` David Matlack

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e27b88f dfblob:6113b90 )
 OR (
bs:"[PATCH] staging: slicoss: fix use-after-free in slic_entry_probe" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1400819147-14236-1-git-send-email-matlackdavid@gmail.com \
    --to=matlackdavid@gmail.com \
    --cc=charrer@alacritech.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liodot@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox