Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx> wrote:
> The function brcmf_net_attach() can only fail when register_netdevice()
> fails. When this happens register_netdevice() calls priv_destructor, ie.
> brcmf_cfg80211_free_netdev() freeing the vif instance. Also upon this
> failure brcmf_net_attach() calls free_netdev(). However, callers are also
> doing cleanup resulting in double free. In some places they need netdev
> private space as it holds parameters to communicate with the device. So
> we want to do the cleanup only in callers of brcmf_net_attach() by making
> the following changes:
>
> - set priv_destructor after register_netdevice() succeeds.
> - remove call to free_netdev() in brcmf_net_attach().
> - call free_netdev() in brcmf_net_detach() for unregistered netdev.
> - add free_netdev() if brcmf_net_attach() fails for a created interface.
>
> Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.")
> Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>
> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx>
> Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx>
> Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Patch applied to wireless-drivers-next.git, thanks.
dca2307ed625 brcmfmac: fix double free upon register_netdevice() failure
--
https://patchwork.kernel.org/patch/9807903/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
