diff options
| author | Amitkumar Karwar <akarwar@marvell.com> | 2013-07-30 20:18:15 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2013-08-01 15:34:35 -0400 |
| commit | c3afd99fb5adfb31925f0b493a0d4152cd6447cc (patch) | |
| tree | ab32f800a9ef13b1a328018232ed8fa1639b45cd | |
| parent | 7546ff95499781306e8fd7d84ae38b84be961364 (diff) | |
mwifiex: fix adapter pointer dereference issue
It has introduced by recent commit 6b41f941d7cd: "mwifiex:
handle driver initialization error paths" which adds error
path handling for mwifiex_fw_dpc().
release_firmware(adapter->*) is called for success as well
as failure paths. In failure paths, adapter is already freed
at this point.
The issue is fixed by moving mwifiex_free_adapter() call.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | drivers/net/wireless/mwifiex/main.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c index 5644c7f86fcb..3402bffdd016 100644 --- a/drivers/net/wireless/mwifiex/main.c +++ b/drivers/net/wireless/mwifiex/main.c | |||
| @@ -414,6 +414,8 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context) | |||
| 414 | struct mwifiex_private *priv; | 414 | struct mwifiex_private *priv; |
| 415 | struct mwifiex_adapter *adapter = context; | 415 | struct mwifiex_adapter *adapter = context; |
| 416 | struct mwifiex_fw_image fw; | 416 | struct mwifiex_fw_image fw; |
| 417 | struct semaphore *sem = adapter->card_sem; | ||
| 418 | bool init_failed = false; | ||
| 417 | 419 | ||
| 418 | if (!firmware) { | 420 | if (!firmware) { |
| 419 | dev_err(adapter->dev, | 421 | dev_err(adapter->dev, |
| @@ -528,15 +530,20 @@ err_dnld_fw: | |||
| 528 | } | 530 | } |
| 529 | adapter->surprise_removed = true; | 531 | adapter->surprise_removed = true; |
| 530 | mwifiex_terminate_workqueue(adapter); | 532 | mwifiex_terminate_workqueue(adapter); |
| 531 | mwifiex_free_adapter(adapter); | 533 | init_failed = true; |
| 532 | done: | 534 | done: |
| 533 | if (adapter->cal_data) { | 535 | if (adapter->cal_data) { |
| 534 | release_firmware(adapter->cal_data); | 536 | release_firmware(adapter->cal_data); |
| 535 | adapter->cal_data = NULL; | 537 | adapter->cal_data = NULL; |
| 536 | } | 538 | } |
| 537 | release_firmware(adapter->firmware); | 539 | if (adapter->firmware) { |
| 540 | release_firmware(adapter->firmware); | ||
| 541 | adapter->firmware = NULL; | ||
| 542 | } | ||
| 538 | complete(&adapter->fw_load); | 543 | complete(&adapter->fw_load); |
| 539 | up(adapter->card_sem); | 544 | if (init_failed) |
| 545 | mwifiex_free_adapter(adapter); | ||
| 546 | up(sem); | ||
| 540 | return; | 547 | return; |
| 541 | } | 548 | } |
| 542 | 549 | ||