From: David Matlack Date: Tue, 6 May 2014 04:02:32 +0000 (-0700) Subject: staging: slicoss: fix multiple free-after-free in slic_entry_remove X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=a286e34de0568903e93d54beb1c62ce19f1b5031;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git staging: slicoss: fix multiple free-after-free in slic_entry_remove This patch fixes two free-after-free bugs in slic_entry_remove. Specifically, slic_unmap_mmio_space() iounmaps adapter->slic_regs, which is the same region of memory as dev->base_addr (iounmap-ed a few lines later). Next, both release_mem_region() and pci_release_regions() are called on the same pci_dev struct. Signed-off-by: David Matlack Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c index 0b0a7b4e20e4..c6c1c4082d76 100644 --- a/drivers/staging/slicoss/slicoss.c +++ b/drivers/staging/slicoss/slicoss.c @@ -2954,8 +2954,6 @@ static void slic_card_cleanup(struct sliccard *card) static void slic_entry_remove(struct pci_dev *pcidev) { struct net_device *dev = pci_get_drvdata(pcidev); - u32 mmio_start = 0; - uint mmio_len = 0; struct adapter *adapter = netdev_priv(dev); struct sliccard *card; struct mcast_address *mcaddr, *mlist; @@ -2964,12 +2962,6 @@ static void slic_entry_remove(struct pci_dev *pcidev) slic_unmap_mmio_space(adapter); unregister_netdev(dev); - mmio_start = pci_resource_start(pcidev, 0); - mmio_len = pci_resource_len(pcidev, 0); - - release_mem_region(mmio_start, mmio_len); - - iounmap((void __iomem *)dev->base_addr); /* free multicast addresses */ mlist = adapter->mcastaddrs; while (mlist) {