aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless
diff options
context:
space:
mode:
authorWang Chen <wangchen@cn.fujitsu.com>2008-12-18 22:36:46 -0500
committerDavid S. Miller <davem@davemloft.net>2008-12-19 01:27:38 -0500
commitb88a2a22c6670c31586d1a716255eae4c320b363 (patch)
tree88b95546d0e53197c455771b36b499616c2b3a0d /drivers/net/wireless
parent3de77cf23e9a19b9fc28e3b29371308325428c39 (diff)
netdevice zd1201: Use after free
| commit 3d29b0c33d431ecc69ec778f8c236d382f59a85f | Author: John W. Linville <linville@tuxdriver.com> | Date: Fri Oct 31 14:13:12 2008 -0400 | | netdevice zd1201: Convert directly reference of netdev->priv to netdev_priv() | | We have some reasons to kill netdev->priv: | 1. netdev->priv is equal to netdev_priv(). | 2. netdev_priv() wraps the calculation of netdev->priv's offset, obviously | netdev_priv() is more flexible than netdev->priv. | But we cann't kill netdev->priv, because so many drivers reference to it | directly. | | OK, becasue Dave S. Miller said, "every direct netdev->priv usage is a bug", | and I want to kill netdev->priv later, I decided to convert all the direct | reference of netdev->priv first. | | (Original patch posted by Wang Chen <wangchen@cn.fujitsu.com> w/ above | changelog but using dev->ml_priv. That doesn't seem appropriate | to me for this driver, so I've revamped it to use netdev_priv() | instead. -- JWL) This commit changed the allocation of netdev, but didn't change the free method of it. This causes "zd" be used after the memory, which is pointed by "zd", being freed by free_netdev(). Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r--drivers/net/wireless/zd1201.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/net/wireless/zd1201.c b/drivers/net/wireless/zd1201.c
index 3404807b3e12..b45c27d42fd8 100644
--- a/drivers/net/wireless/zd1201.c
+++ b/drivers/net/wireless/zd1201.c
@@ -1841,10 +1841,6 @@ static void zd1201_disconnect(struct usb_interface *interface)
1841 if (!zd) 1841 if (!zd)
1842 return; 1842 return;
1843 usb_set_intfdata(interface, NULL); 1843 usb_set_intfdata(interface, NULL);
1844 if (zd->dev) {
1845 unregister_netdev(zd->dev);
1846 free_netdev(zd->dev);
1847 }
1848 1844
1849 hlist_for_each_entry_safe(frag, node, node2, &zd->fraglist, fnode) { 1845 hlist_for_each_entry_safe(frag, node, node2, &zd->fraglist, fnode) {
1850 hlist_del_init(&frag->fnode); 1846 hlist_del_init(&frag->fnode);
@@ -1860,7 +1856,11 @@ static void zd1201_disconnect(struct usb_interface *interface)
1860 usb_kill_urb(zd->rx_urb); 1856 usb_kill_urb(zd->rx_urb);
1861 usb_free_urb(zd->rx_urb); 1857 usb_free_urb(zd->rx_urb);
1862 } 1858 }
1863 kfree(zd); 1859
1860 if (zd->dev) {
1861 unregister_netdev(zd->dev);
1862 free_netdev(zd->dev);
1863 }
1864} 1864}
1865 1865
1866#ifdef CONFIG_PM 1866#ifdef CONFIG_PM