From 222b01b7fef6e7ebea9e76ce08a783571569797b Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Sun, 13 Jan 2008 18:35:52 +0100 Subject: b43legacy: fix use-after-free rfkill bug Fix rfkill code which caused a use-after-free bug. Thanks to David Woodhouse for spotting this out. Cc: David Woodhouse Signed-off-by: Stefano Brivio Signed-off-by: John W. Linville --- drivers/net/wireless/b43legacy/rfkill.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/b43legacy/rfkill.c b/drivers/net/wireless/b43legacy/rfkill.c index 520910fd5c45..d178dfbb1c9f 100644 --- a/drivers/net/wireless/b43legacy/rfkill.c +++ b/drivers/net/wireless/b43legacy/rfkill.c @@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43legacy_wldev *dev) rfk->rfkill->user_claim_unsupported = 1; rfk->poll_dev = input_allocate_polled_device(); - if (!rfk->poll_dev) - goto err_free_rfk; + if (!rfk->poll_dev) { + rfkill_free(rfk->rfkill); + goto err_freed_rfk; + } + rfk->poll_dev->private = dev; rfk->poll_dev->poll = b43legacy_rfkill_poll; rfk->poll_dev->poll_interval = 1000; /* msecs */ @@ -178,8 +181,7 @@ err_unreg_rfk: err_free_polldev: input_free_polled_device(rfk->poll_dev); rfk->poll_dev = NULL; -err_free_rfk: - rfkill_free(rfk->rfkill); +err_freed_rfk: rfk->rfkill = NULL; out_error: rfk->registered = 0; @@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43legacy_wldev *dev) rfkill_unregister(rfk->rfkill); input_free_polled_device(rfk->poll_dev); rfk->poll_dev = NULL; - rfkill_free(rfk->rfkill); rfk->rfkill = NULL; } -- cgit v1.2.3