From a286e34de0568903e93d54beb1c62ce19f1b5031 Mon Sep 17 00:00:00 2001 From: David Matlack <dmatlack@google.com> Date: Mon, 5 May 2014 21:02:32 -0700 Subject: [PATCH] staging: slicoss: fix multiple free-after-free in slic_entry_remove This patch fixes two free-after-free bugs in slic_entry_remove. Specifically, slic_unmap_mmio_space() iounmaps adapter->slic_regs, which is the same region of memory as dev->base_addr (iounmap-ed a few lines later). Next, both release_mem_region() and pci_release_regions() are called on the same pci_dev struct. Signed-off-by: David Matlack <dmatlack@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> --- drivers/staging/slicoss/slicoss.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c index 0b0a7b4e20e4..c6c1c4082d76 100644 --- a/drivers/staging/slicoss/slicoss.c +++ b/drivers/staging/slicoss/slicoss.c @@ -2954,8 +2954,6 @@ static void slic_card_cleanup(struct sliccard *card) static void slic_entry_remove(struct pci_dev *pcidev) { struct net_device *dev = pci_get_drvdata(pcidev); - u32 mmio_start = 0; - uint mmio_len = 0; struct adapter *adapter = netdev_priv(dev); struct sliccard *card; struct mcast_address *mcaddr, *mlist; @@ -2964,12 +2962,6 @@ static void slic_entry_remove(struct pci_dev *pcidev) slic_unmap_mmio_space(adapter); unregister_netdev(dev); - mmio_start = pci_resource_start(pcidev, 0); - mmio_len = pci_resource_len(pcidev, 0); - - release_mem_region(mmio_start, mmio_len); - - iounmap((void __iomem *)dev->base_addr); /* free multicast addresses */ mlist = adapter->mcastaddrs; while (mlist) { -- 2.20.1