Commit 6623e57d authored by 추지호's avatar 추지호 Committed by Ben Hutchings

can: peak: fix bad memory access and free sequence

commit b67d0dd7 upstream.

Fix for bad memory access while disconnecting. netdev is freed before
private data free, and dev is accessed after freeing netdev.

This makes a slub problem, and it raise kernel oops with slub debugger
config.
Signed-off-by: default avatarJiho Chu <jiho.chu@samsung.com>
Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 2dd51775
...@@ -826,23 +826,25 @@ static int peak_usb_create_dev(struct peak_usb_adapter *peak_usb_adapter, ...@@ -826,23 +826,25 @@ static int peak_usb_create_dev(struct peak_usb_adapter *peak_usb_adapter,
static void peak_usb_disconnect(struct usb_interface *intf) static void peak_usb_disconnect(struct usb_interface *intf)
{ {
struct peak_usb_device *dev; struct peak_usb_device *dev;
struct peak_usb_device *dev_prev_siblings;
/* unregister as many netdev devices as siblings */ /* unregister as many netdev devices as siblings */
for (dev = usb_get_intfdata(intf); dev; dev = dev->prev_siblings) { for (dev = usb_get_intfdata(intf); dev; dev = dev_prev_siblings) {
struct net_device *netdev = dev->netdev; struct net_device *netdev = dev->netdev;
char name[IFNAMSIZ]; char name[IFNAMSIZ];
dev_prev_siblings = dev->prev_siblings;
dev->state &= ~PCAN_USB_STATE_CONNECTED; dev->state &= ~PCAN_USB_STATE_CONNECTED;
strncpy(name, netdev->name, IFNAMSIZ); strncpy(name, netdev->name, IFNAMSIZ);
unregister_netdev(netdev); unregister_netdev(netdev);
free_candev(netdev);
kfree(dev->cmd_buf); kfree(dev->cmd_buf);
dev->next_siblings = NULL; dev->next_siblings = NULL;
if (dev->adapter->dev_free) if (dev->adapter->dev_free)
dev->adapter->dev_free(dev); dev->adapter->dev_free(dev);
free_candev(netdev);
dev_info(&intf->dev, "%s removed\n", name); dev_info(&intf->dev, "%s removed\n", name);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment