driver inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICJVFM CVE: NA ------------------------------------ KASAN report a use-after-free case in rnpm_remove(). The pf_adapter is already be freed in rnpm_rm_pf_adapter(), but using pf_adapter->hw.mbx after that. Fix it by moving the dma_free_coherent() into rnpm_rm_pf_adapter() just before releasing pf_adapter, that also fix reply_dma leaking on rnpm_probe() error path. Fixes: 5deaf74c4b3e ("drivers: initial support for rnpm drivers from Mucse Technology") Signed-off-by: Ding Hui <dinghui@sangfor.com.cn> --- drivers/net/ethernet/mucse/rnpm/rnpm_main.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) --- v2: add Fixes: tag diff --git a/drivers/net/ethernet/mucse/rnpm/rnpm_main.c b/drivers/net/ethernet/mucse/rnpm/rnpm_main.c index 8c920f2fd9bc..3b1a3d872e22 100644 --- a/drivers/net/ethernet/mucse/rnpm/rnpm_main.c +++ b/drivers/net/ethernet/mucse/rnpm/rnpm_main.c @@ -8296,6 +8296,11 @@ static int rnpm_rm_pf_adapter(struct pci_dev *pdev, if (pf_adapter->hw_addr4) pcim_iounmap(pdev, pf_adapter->hw_addr4); + if (pf_adapter->hw.mbx.reply_dma) + dma_free_coherent(&pdev->dev, pf_adapter->hw.mbx.reply_dma_size, + pf_adapter->hw.mbx.reply_dma, + pf_adapter->hw.mbx.reply_dma_phy); + if (pf_adapter) devm_kfree(&pdev->dev, pf_adapter); @@ -8977,9 +8982,6 @@ static void rnpm_remove(struct pci_dev *pdev) rnpm_rm_pf_adapter(pdev, &pf_adapter); // pci_release_selected_regions(pdev, pci_select_bars(pdev, // IORESOURCE_MEM)); - dma_free_coherent(&pdev->dev, pf_adapter->hw.mbx.reply_dma_size, - pf_adapter->hw.mbx.reply_dma, - pf_adapter->hw.mbx.reply_dma_phy); pci_release_mem_regions(pdev); pci_disable_device(pdev); } -- 2.17.1