can: peak: fix bad memory access and free sequence
author추지호 <jiho.chu@samsung.com>
Thu, 8 Dec 2016 12:01:13 +0000 (12:01 +0000)
committerWilly Tarreau <w@1wt.eu>
Tue, 20 Jun 2017 12:02:48 +0000 (14:02 +0200)
commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream.

Fix for bad memory access while disconnecting. netdev is freed before
private data free, and dev is accessed after freeing netdev.

This makes a slub problem, and it raise kernel oops with slub debugger
config.

Signed-off-by: Jiho Chu <jiho.chu@samsung.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
drivers/net/can/usb/peak_usb/pcan_usb_core.c

index 3a220d2f2ee1b47763eefbe73e7944e94debb056..9a82890f64e5888e7561f6b11cfbc6e08b692a5a 100644 (file)
@@ -817,23 +817,25 @@ lbl_free_candev:
 static void peak_usb_disconnect(struct usb_interface *intf)
 {
        struct peak_usb_device *dev;
+       struct peak_usb_device *dev_prev_siblings;
 
        /* unregister as many netdev devices as siblings */
-       for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
+       for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
                struct net_device *netdev = dev->netdev;
                char name[IFNAMSIZ];
 
+               dev_prev_siblings = dev->prev_siblings;
                dev->state &= ~PCAN_USB_STATE_CONNECTED;
                strncpy(name, netdev->name, IFNAMSIZ);
 
                unregister_netdev(netdev);
-               free_candev(netdev);
 
                kfree(dev->cmd_buf);
                dev->next_siblings = NULL;
                if (dev->adapter->dev_free)
                        dev->adapter->dev_free(dev);
 
+               free_candev(netdev);
                dev_info(&intf->dev, "%s removed\n", name);
        }