summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorStefano Brivio <stefano.brivio@polimi.it>2008-01-13 18:35:52 +0100
committerDavid S. Miller <davem@davemloft.net>2008-01-28 15:10:10 -0800
commit222b01b7fef6e7ebea9e76ce08a783571569797b (patch)
treea95619da0e60695a39e52b0229625ad27cb4e5b2 /drivers
parent66dcb6bdc57a799a16e8d2942b9ab38b8546eb3b (diff)
downloadlinux-222b01b7fef6e7ebea9e76ce08a783571569797b.tar.gz
linux-222b01b7fef6e7ebea9e76ce08a783571569797b.tar.bz2
linux-222b01b7fef6e7ebea9e76ce08a783571569797b.zip
b43legacy: fix use-after-free rfkill bug
Fix rfkill code which caused a use-after-free bug. Thanks to David Woodhouse for spotting this out. Cc: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Stefano Brivio <stefano.brivio@polimi.it> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/b43legacy/rfkill.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/net/wireless/b43legacy/rfkill.c b/drivers/net/wireless/b43legacy/rfkill.c
index 520910fd5c45..d178dfbb1c9f 100644
--- a/drivers/net/wireless/b43legacy/rfkill.c
+++ b/drivers/net/wireless/b43legacy/rfkill.c
@@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43legacy_wldev *dev)
rfk->rfkill->user_claim_unsupported = 1;
rfk->poll_dev = input_allocate_polled_device();
- if (!rfk->poll_dev)
- goto err_free_rfk;
+ if (!rfk->poll_dev) {
+ rfkill_free(rfk->rfkill);
+ goto err_freed_rfk;
+ }
+
rfk->poll_dev->private = dev;
rfk->poll_dev->poll = b43legacy_rfkill_poll;
rfk->poll_dev->poll_interval = 1000; /* msecs */
@@ -178,8 +181,7 @@ err_unreg_rfk:
err_free_polldev:
input_free_polled_device(rfk->poll_dev);
rfk->poll_dev = NULL;
-err_free_rfk:
- rfkill_free(rfk->rfkill);
+err_freed_rfk:
rfk->rfkill = NULL;
out_error:
rfk->registered = 0;
@@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43legacy_wldev *dev)
rfkill_unregister(rfk->rfkill);
input_free_polled_device(rfk->poll_dev);
rfk->poll_dev = NULL;
- rfkill_free(rfk->rfkill);
rfk->rfkill = NULL;
}