From patchwork Fri Jul 22 22:07:13 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Roskin X-Patchwork-Id: 1001162 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6MM7IUW003305 for ; Fri, 22 Jul 2011 22:07:19 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752383Ab1GVWHQ (ORCPT ); Fri, 22 Jul 2011 18:07:16 -0400 Received: from c60.cesmail.net ([216.154.195.49]:20019 "EHLO c60.cesmail.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750967Ab1GVWHP (ORCPT ); Fri, 22 Jul 2011 18:07:15 -0400 Received: from unknown (HELO smtprelay1.cesmail.net) ([192.168.1.111]) by c60.cesmail.net with ESMTP; 22 Jul 2011 18:07:15 -0400 Received: from mj.roinet.com (static-72-92-88-10.phlapa.fios.verizon.net [72.92.88.10]) by smtprelay1.cesmail.net (Postfix) with ESMTPSA id 8689234C98; Fri, 22 Jul 2011 18:11:40 -0400 (EDT) Subject: [PATCH] b43: fix invalid memory access in b43_ssb_remove() To: =?utf-8?b?UmFmYcWC?= =?utf-8?q?Mi=C5=82ecki?= , linux-wireless@vger.kernel.org, b43-dev@lists.infradead.org, "John W. Linville" From: Pavel Roskin Date: Fri, 22 Jul 2011 18:07:13 -0400 Message-ID: <20110722220016.15648.30628.stgit@mj.roinet.com> User-Agent: StGit/0.15-111-g507b MIME-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Fri, 22 Jul 2011 22:07:19 +0000 (UTC) wldev is freed in b43_one_core_detach() and should not be accessed after that call. Keep wldev->dev in a local variable. Signed-off-by: Pavel Roskin --- Linux 3.0 is not affected. The bug was introduced in 482f0538. drivers/net/wireless/b43/main.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c index d9f53b7..85d6a1f 100644 --- a/drivers/net/wireless/b43/main.c +++ b/drivers/net/wireless/b43/main.c @@ -5350,6 +5350,7 @@ static void b43_ssb_remove(struct ssb_device *sdev) { struct b43_wl *wl = ssb_get_devtypedata(sdev); struct b43_wldev *wldev = ssb_get_drvdata(sdev); + struct b43_bus_dev *dev = wldev->dev; /* We must cancel any work here before unregistering from ieee80211, * as the ieee80211 unreg will destroy the workqueue. */ @@ -5365,14 +5366,14 @@ static void b43_ssb_remove(struct ssb_device *sdev) ieee80211_unregister_hw(wl->hw); } - b43_one_core_detach(wldev->dev); + b43_one_core_detach(dev); if (list_empty(&wl->devlist)) { b43_leds_unregister(wl); /* Last core on the chip unregistered. * We can destroy common struct b43_wl. */ - b43_wireless_exit(wldev->dev, wl); + b43_wireless_exit(dev, wl); } }