aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefano Brivio <stefano.brivio@polimi.it>2008-01-13 12:35:52 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 18:10:10 -0500
commit222b01b7fef6e7ebea9e76ce08a783571569797b (patch)
treea95619da0e60695a39e52b0229625ad27cb4e5b2
parent66dcb6bdc57a799a16e8d2942b9ab38b8546eb3b (diff)
b43legacy: fix use-after-free rfkill bug
Fix rfkill code which caused a use-after-free bug. Thanks to David Woodhouse for spotting this out. Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/b43legacy/rfkill.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/net/wireless/b43legacy/rfkill.c b/drivers/net/wireless/b43legacy/rfkill.c
index 520910fd5c45..d178dfbb1c9f 100644
--- a/drivers/net/wireless/b43legacy/rfkill.c
+++ b/drivers/net/wireless/b43legacy/rfkill.c
@@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43legacy_wldev *dev)
141 rfk->rfkill->user_claim_unsupported = 1; 141 rfk->rfkill->user_claim_unsupported = 1;
142 142
143 rfk->poll_dev = input_allocate_polled_device(); 143 rfk->poll_dev = input_allocate_polled_device();
144 if (!rfk->poll_dev) 144 if (!rfk->poll_dev) {
145 goto err_free_rfk; 145 rfkill_free(rfk->rfkill);
146 goto err_freed_rfk;
147 }
148
146 rfk->poll_dev->private = dev; 149 rfk->poll_dev->private = dev;
147 rfk->poll_dev->poll = b43legacy_rfkill_poll; 150 rfk->poll_dev->poll = b43legacy_rfkill_poll;
148 rfk->poll_dev->poll_interval = 1000; /* msecs */ 151 rfk->poll_dev->poll_interval = 1000; /* msecs */
@@ -178,8 +181,7 @@ err_unreg_rfk:
178err_free_polldev: 181err_free_polldev:
179 input_free_polled_device(rfk->poll_dev); 182 input_free_polled_device(rfk->poll_dev);
180 rfk->poll_dev = NULL; 183 rfk->poll_dev = NULL;
181err_free_rfk: 184err_freed_rfk:
182 rfkill_free(rfk->rfkill);
183 rfk->rfkill = NULL; 185 rfk->rfkill = NULL;
184out_error: 186out_error:
185 rfk->registered = 0; 187 rfk->registered = 0;
@@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43legacy_wldev *dev)
198 rfkill_unregister(rfk->rfkill); 200 rfkill_unregister(rfk->rfkill);
199 input_free_polled_device(rfk->poll_dev); 201 input_free_polled_device(rfk->poll_dev);
200 rfk->poll_dev = NULL; 202 rfk->poll_dev = NULL;
201 rfkill_free(rfk->rfkill);
202 rfk->rfkill = NULL; 203 rfk->rfkill = NULL;
203} 204}
204 205