diff options
| author | Stephane Grosjean <s.grosjean@peak-system.com> | 2014-05-20 05:38:56 -0400 |
|---|---|---|
| committer | Marc Kleine-Budde <mkl@pengutronix.de> | 2014-05-21 02:17:03 -0400 |
| commit | 0b5a958cf4df3a5cd578b861471e62138f55c85e (patch) | |
| tree | be02fbf4f83f6a1a9c89239951c6da0ba6720355 /drivers/net/can | |
| parent | 78ff4be45a4c51d8fb21ad92e4fabb467c6c3eeb (diff) | |
can: peak_pci: prevent use after free at netdev removal
As remarked by Christopher R. Baker in his post at
http://marc.info/?l=linux-can&m=139707295706465&w=2
there's a possibility for an use after free condition at device removal.
This simplified patch introduces an additional variable to prevent the issue.
Thanks for catching this.
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: Christopher R. Baker <cbaker@rec.ri.cmu.edu>
Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Diffstat (limited to 'drivers/net/can')
| -rw-r--r-- | drivers/net/can/sja1000/peak_pci.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/drivers/net/can/sja1000/peak_pci.c b/drivers/net/can/sja1000/peak_pci.c index c540e3d12e3d..564933ae218c 100644 --- a/drivers/net/can/sja1000/peak_pci.c +++ b/drivers/net/can/sja1000/peak_pci.c | |||
| @@ -551,7 +551,7 @@ static int peak_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) | |||
| 551 | { | 551 | { |
| 552 | struct sja1000_priv *priv; | 552 | struct sja1000_priv *priv; |
| 553 | struct peak_pci_chan *chan; | 553 | struct peak_pci_chan *chan; |
| 554 | struct net_device *dev; | 554 | struct net_device *dev, *prev_dev; |
| 555 | void __iomem *cfg_base, *reg_base; | 555 | void __iomem *cfg_base, *reg_base; |
| 556 | u16 sub_sys_id, icr; | 556 | u16 sub_sys_id, icr; |
| 557 | int i, err, channels; | 557 | int i, err, channels; |
| @@ -688,11 +688,13 @@ failure_remove_channels: | |||
| 688 | writew(0x0, cfg_base + PITA_ICR + 2); | 688 | writew(0x0, cfg_base + PITA_ICR + 2); |
| 689 | 689 | ||
| 690 | chan = NULL; | 690 | chan = NULL; |
| 691 | for (dev = pci_get_drvdata(pdev); dev; dev = chan->prev_dev) { | 691 | for (dev = pci_get_drvdata(pdev); dev; dev = prev_dev) { |
| 692 | unregister_sja1000dev(dev); | ||
| 693 | free_sja1000dev(dev); | ||
| 694 | priv = netdev_priv(dev); | 692 | priv = netdev_priv(dev); |
| 695 | chan = priv->priv; | 693 | chan = priv->priv; |
| 694 | prev_dev = chan->prev_dev; | ||
| 695 | |||
| 696 | unregister_sja1000dev(dev); | ||
| 697 | free_sja1000dev(dev); | ||
| 696 | } | 698 | } |
| 697 | 699 | ||
| 698 | /* free any PCIeC resources too */ | 700 | /* free any PCIeC resources too */ |
| @@ -726,10 +728,12 @@ static void peak_pci_remove(struct pci_dev *pdev) | |||
| 726 | 728 | ||
| 727 | /* Loop over all registered devices */ | 729 | /* Loop over all registered devices */ |
| 728 | while (1) { | 730 | while (1) { |
| 731 | struct net_device *prev_dev = chan->prev_dev; | ||
| 732 | |||
| 729 | dev_info(&pdev->dev, "removing device %s\n", dev->name); | 733 | dev_info(&pdev->dev, "removing device %s\n", dev->name); |
| 730 | unregister_sja1000dev(dev); | 734 | unregister_sja1000dev(dev); |
| 731 | free_sja1000dev(dev); | 735 | free_sja1000dev(dev); |
| 732 | dev = chan->prev_dev; | 736 | dev = prev_dev; |
| 733 | 737 | ||
| 734 | if (!dev) { | 738 | if (!dev) { |
| 735 | /* do that only for first channel */ | 739 | /* do that only for first channel */ |