Fix rfkill code which caused a use-after-free bug. Thanks to David
Woodhouse for spotting this out.
Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
Signed-off-by: Stefano Brivio <stefano.brivio@xxxxxxxxx>
---
Index: wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c
===================================================================
--- wireless-2.6.orig/drivers/net/wireless/b43legacy/rfkill.c
+++ wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c
@@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43leg
rfk->rfkill->user_claim_unsupported = 1;
rfk->poll_dev = input_allocate_polled_device();
- if (!rfk->poll_dev)
- goto err_free_rfk;
+ if (!rfk->poll_dev) {
+ rfkill_free(rfk->rfkill);
+ goto err_freed_rfk;
+ }
+
rfk->poll_dev->private = dev;
rfk->poll_dev->poll = b43legacy_rfkill_poll;
rfk->poll_dev->poll_interval = 1000; /* msecs */
@@ -178,8 +181,7 @@ err_unreg_rfk:
err_free_polldev:
input_free_polled_device(rfk->poll_dev);
rfk->poll_dev = NULL;
-err_free_rfk:
- rfkill_free(rfk->rfkill);
+err_freed_rfk:
rfk->rfkill = NULL;
out_error:
rfk->registered = 0;
@@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43leg
rfkill_unregister(rfk->rfkill);
input_free_polled_device(rfk->poll_dev);
rfk->poll_dev = NULL;
- rfkill_free(rfk->rfkill);
rfk->rfkill = NULL;
}
--
Ciao
Stefano
-
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
