aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMathias Krause <minipli@googlemail.com>2011-01-30 05:29:47 -0500
committerJohn W. Linville <linville@tuxdriver.com>2011-01-31 14:48:15 -0500
commit9b00b4157f7b3265de291ac8979a5f1611ce64ab (patch)
tree88e0fda1bbae8516a89695cdefa30289e66555f6
parentc7c1806098752c1f46943d8db2c69aff07f5d4bc (diff)
wl12xx: fix use after free
When DEBUG_SPI is included in the debug log level wl1271_spi_reset() will dump the already freed memory instead of the SPI buffer. This bug was spotted by the semantic patch tool coccinelle using the script found at scripts/coccinelle/free/kfree.cocci. More information about semantic patching is available at http://coccinelle.lip6.fr/ Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/wl12xx/spi.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/net/wireless/wl12xx/spi.c b/drivers/net/wireless/wl12xx/spi.c
index 46714910f98c..7145ea543783 100644
--- a/drivers/net/wireless/wl12xx/spi.c
+++ b/drivers/net/wireless/wl12xx/spi.c
@@ -110,9 +110,8 @@ static void wl1271_spi_reset(struct wl1271 *wl)
110 spi_message_add_tail(&t, &m); 110 spi_message_add_tail(&t, &m);
111 111
112 spi_sync(wl_to_spi(wl), &m); 112 spi_sync(wl_to_spi(wl), &m);
113 kfree(cmd);
114
115 wl1271_dump(DEBUG_SPI, "spi reset -> ", cmd, WSPI_INIT_CMD_LEN); 113 wl1271_dump(DEBUG_SPI, "spi reset -> ", cmd, WSPI_INIT_CMD_LEN);
114 kfree(cmd);
116} 115}
117 116
118static void wl1271_spi_init(struct wl1271 *wl) 117static void wl1271_spi_init(struct wl1271 *wl)