rionet: fix NULL pointer dereference in rionet_remove

Function rionet_remove initializes local variable 'ndev' to NULL and do nothing changes before the call to unregister_netdev(ndev), this could cause a NULL pointer dereference. Reported-by: N Jesper Juhl <jj@chaosbits.net> Signed-off-by: N Yinglin Luan <synmyth@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

rionet: fix NULL pointer dereference in rionet_remove
Function rionet_remove initializes local variable 'ndev' to NULL and do nothing changes before the call to unregister_netdev(ndev), this could cause a NULL pointer dereference. Reported-by: N Jesper Juhl <jj@chaosbits.net> Signed-off-by: N Yinglin Luan <synmyth@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
55caa924 · Yinglin Luan · David S. Miller · 7ab24bfd · 55caa924
隐藏空白更改
内联并排

Showing with 15 addition and 13 deletion

drivers/net/rionet.c drivers/net/rionet.c +15 -13

未找到文件。
--- a/drivers/net/rionet.c
+++ b/drivers/net/rionet.c
@@ -378,7 +378,7 @@ static int rionet_close(struct net_device *ndev)

 static void rionet_remove(struct rio_dev *rdev)
 {
-	struct net_device *ndev = NULL;
+	struct net_device *ndev = rio_get_drvdata(rdev);
 	struct rionet_peer *peer, *tmp;

 	free_pages((unsigned long)rionet_active, rdev->net->hport->sys_size ?
@@ -433,22 +433,12 @@ static const struct net_device_ops rionet_netdev_ops = {
 	.ndo_set_mac_address	= eth_mac_addr,
 };

-static int rionet_setup_netdev(struct rio_mport *mport)
+static int rionet_setup_netdev(struct rio_mport *mport, struct net_device *ndev)
 {
 	int rc = 0;
-	struct net_device *ndev = NULL;
 	struct rionet_private *rnet;
 	u16 device_id;

-	/* Allocate our net_device structure */
-	ndev = alloc_etherdev(sizeof(struct rionet_private));
-	if (ndev == NULL) {
-		printk(KERN_INFO "%s: could not allocate ethernet device.\n",
-		       DRV_NAME);
-		rc = -ENOMEM;
-		goto out;
-	}
-
 	rionet_active = (struct rio_dev **)__get_free_pages(GFP_KERNEL,
 			mport->sys_size ? __fls(sizeof(void *)) + 4 : 0);
 	if (!rionet_active) {
@@ -504,11 +494,21 @@ static int rionet_probe(struct rio_dev *rdev, const struct rio_device_id *id)
 	int rc = -ENODEV;
 	u32 lpef, lsrc_ops, ldst_ops;
 	struct rionet_peer *peer;
+	struct net_device *ndev = NULL;

 	/* If local device is not rionet capable, give up quickly */
 	if (!rionet_capable)
 		goto out;

+	/* Allocate our net_device structure */
+	ndev = alloc_etherdev(sizeof(struct rionet_private));
+	if (ndev == NULL) {
+		printk(KERN_INFO "%s: could not allocate ethernet device.\n",
+		       DRV_NAME);
+		rc = -ENOMEM;
+		goto out;
+	}
+
 	/*
 	 * First time through, make sure local device is rionet
 	 * capable, setup netdev,  and set flags so this is skipped
@@ -529,7 +529,7 @@ static int rionet_probe(struct rio_dev *rdev, const struct rio_device_id *id)
 			goto out;
 		}

-		rc = rionet_setup_netdev(rdev->net->hport);
+		rc = rionet_setup_netdev(rdev->net->hport, ndev);
 		rionet_check = 1;
 	}

@@ -546,6 +546,8 @@ static int rionet_probe(struct rio_dev *rdev, const struct rio_device_id *id)
 		list_add_tail(&peer->node, &rionet_peers);
 	}

+	rio_set_drvdata(rdev, ndev);
+
      out:
 	return rc;
 }