staging: slicoss: fix use-after-free bug in slic_entry_remove

This patch fixes a use-after-free bug that causes a null pointer
dereference in slic_entry_halt.

Since unregister_netdev() will ultimately call slic_entry_halt (the
net_device ndo_stop() virtual function for this device), we should
call it before freeing the memory used by slic_entry_halt.

Signed-off-by: David Matlack <dmatlack@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/slicoss/slicoss.c b/drivers/staging/slicoss/slicoss.c
index fde0ff9..3010501 100644 (file)
--- a/drivers/staging/slicoss/slicoss.c
+++ b/drivers/staging/slicoss/slicoss.c
@@ -2525,9 +2525,10 @@ static void slic_entry_remove(struct pci_dev *pcidev)
        struct sliccard *card;
        struct mcast_address *mcaddr, *mlist;
 
+       unregister_netdev(dev);
+
        slic_adapter_freeresources(adapter);
        slic_unmap_mmio_space(adapter);
-       unregister_netdev(dev);
 
        /* free multicast addresses */
        mlist = adapter->mcastaddrs;