From: Xu Rao <redacted>

ioc3eth_remove() frees the coherent RX and TX descriptor rings before
unregistering the netdev. If the interface is running,
unregister_netdev() invokes ioc3_close() through ndo_stop.

ioc3_close() stops the device and then calls ioc3_free_rx_bufs() and
ioc3_clean_tx_ring(). Both cleanup functions access descriptors in the
rings, so the current ordering causes CPU accesses to freed coherent
memory. Until ioc3_stop() disables RX and TX DMA, the device may also
continue using the freed ring addresses.

Unregister the netdev before releasing the rings. This lets the core
close a running interface and quiesce the device while the rings are
still valid. Keep the explicit timer deletion because ndo_stop is not
called when the interface is already down.

Fixes: c7b572747549 ("net: sgi: ioc3-eth: allocate space for desc rings only once")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Rao <redacted>
---
 drivers/net/ethernet/sgi/ioc3-eth.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/sgi/ioc3-eth.c b/drivers/net/ethernet/sgi/ioc3-eth.c
index 261f2d35d579..009f37105eaf 100644
--- a/drivers/net/ethernet/sgi/ioc3-eth.c
+++ b/drivers/net/ethernet/sgi/ioc3-eth.c

@@ -967,11 +967,12 @@ static void ioc3eth_remove(struct platform_device *pdev)
 	struct net_device *dev = platform_get_drvdata(pdev);
 	struct ioc3_private *ip = netdev_priv(dev);
 
+	unregister_netdev(dev);
+	timer_delete_sync(&ip->ioc3_timer);
+
 	dma_free_coherent(ip->dma_dev, RX_RING_SIZE, ip->rxr, ip->rxr_dma);
 	dma_free_coherent(ip->dma_dev, TX_RING_SIZE + SZ_16K - 1, ip->tx_ring, ip->txr_dma);
 
-	unregister_netdev(dev);
-	timer_delete_sync(&ip->ioc3_timer);
 	free_netdev(dev);
 }
 

-- 
2.50.1