diff mbox

b43: fix invalid memory access in b43_ssb_remove()

Message ID 20110722220016.15648.30628.stgit@mj.roinet.com (mailing list archive)
State Not Applicable, archived
Headers show

Commit Message

Pavel Roskin July 22, 2011, 10:07 p.m. UTC 
wldev is freed in b43_one_core_detach() and should not be accessed after
that call.  Keep wldev->dev in a local variable.

Signed-off-by: Pavel Roskin <proski@gnu.org>
---

Linux 3.0 is not affected.  The bug was introduced in 482f0538.

 drivers/net/wireless/b43/main.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Pavel Roskin July 25, 2011, 4:26 p.m. UTC | #1 
On 07/22/2011 06:07 PM, Pavel Roskin wrote:
> wldev is freed in b43_one_core_detach() and should not be accessed after
> that call.  Keep wldev->dev in a local variable.
>
> Signed-off-by: Pavel Roskin<proski@gnu.org>
> ---
>
> Linux 3.0 is not affected.  The bug was introduced in 482f0538.

P.S. This needs to be propagated to Linux 3.1.

> -	b43_one_core_detach(wldev->dev);
> +	b43_one_core_detach(dev);

As a long term solution, we probably want a function that takes wldev 
and has "free" in its name, so that the effect is clear.
diff mbox

Patch

diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c
index d9f53b7..85d6a1f 100644
--- a/drivers/net/wireless/b43/main.c
+++ b/drivers/net/wireless/b43/main.c
@@ -5350,6 +5350,7 @@  static void b43_ssb_remove(struct ssb_device *sdev)
 {
 	struct b43_wl *wl = ssb_get_devtypedata(sdev);
 	struct b43_wldev *wldev = ssb_get_drvdata(sdev);
+	struct b43_bus_dev *dev = wldev->dev;
 
 	/* We must cancel any work here before unregistering from ieee80211,
 	 * as the ieee80211 unreg will destroy the workqueue. */
@@ -5365,14 +5366,14 @@  static void b43_ssb_remove(struct ssb_device *sdev)
 		ieee80211_unregister_hw(wl->hw);
 	}
 
-	b43_one_core_detach(wldev->dev);
+	b43_one_core_detach(dev);
 
 	if (list_empty(&wl->devlist)) {
 		b43_leds_unregister(wl);
 		/* Last core on the chip unregistered.
 		 * We can destroy common struct b43_wl.
 		 */
-		b43_wireless_exit(wldev->dev, wl);
+		b43_wireless_exit(dev, wl);
 	}
 }