summaryrefslogtreecommitdiff
path: root/drivers/net/can/usb
diff options
context:
space:
mode:
author추지호 <jiho.chu@samsung.com>2016-12-08 15:01:13 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-12-15 19:49:22 +0300
commite29949ed3903930e38dead204b01e7912c98fe33 (patch)
treec1594dc4329cf0bc6612ee7a903bca6ae83e2e04 /drivers/net/can/usb
parent083021bdba1e6d480170a4ae86cddc10f88c54d5 (diff)
downloadlinux-e29949ed3903930e38dead204b01e7912c98fe33.tar.xz
can: peak: fix bad memory access and free sequence
commit b67d0dd7d0dc9e456825447bbeb935d8ef43ea7c upstream. Fix for bad memory access while disconnecting. netdev is freed before private data free, and dev is accessed after freeing netdev. This makes a slub problem, and it raise kernel oops with slub debugger config. Signed-off-by: Jiho Chu <jiho.chu@samsung.com> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/net/can/usb')
-rw-r--r--drivers/net/can/usb/peak_usb/pcan_usb_core.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
index 5a2e341a6d1e..91be4575b524 100644
--- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c
+++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c
@@ -872,23 +872,25 @@ lbl_free_candev:
static void peak_usb_disconnect(struct usb_interface *intf)
{
struct peak_usb_device *dev;
+ struct peak_usb_device *dev_prev_siblings;
/* unregister as many netdev devices as siblings */
- for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) {
+ for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
struct net_device *netdev = dev->netdev;
char name[IFNAMSIZ];
+ dev_prev_siblings = dev->prev_siblings;
dev->state &= ~PCAN_USB_STATE_CONNECTED;
strncpy(name, netdev->name, IFNAMSIZ);
unregister_netdev(netdev);
- free_candev(netdev);
kfree(dev->cmd_buf);
dev->next_siblings = NULL;
if (dev->adapter->dev_free)
dev->adapter->dev_free(dev);
+ free_candev(netdev);
dev_info(&intf->dev, "%s removed\n", name);
}