The error path in ieee80211_register_hw() may call the unregister_netdev()
and right after it - the free_netdev(), which is wrong, since the
unregister releases the device itself.
So the proposed fix is to NULL the local->mdev after unregister is done
and check this before calling free_netdev().
I checked - no code uses the local->mdev after unregister in this error
path (but even if some did this would be a BUG).
Signed-off-by: Pavel Emelyanov <[email protected]>
---
net/mac80211/main.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 9ad4e36..915afad 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1766,6 +1766,7 @@ fail_wep:
fail_rate:
ieee80211_debugfs_remove_netdev(IEEE80211_DEV_TO_SUB_IF(local->mdev));
unregister_netdevice(local->mdev);
+ local->mdev = NULL;
fail_dev:
rtnl_unlock();
sta_info_stop(local);
@@ -1773,8 +1774,10 @@ fail_sta_info:
debugfs_hw_del(local);
destroy_workqueue(local->hw.workqueue);
fail_workqueue:
- ieee80211_if_free(local->mdev);
- local->mdev = NULL;
+ if (local->mdev != NULL) {
+ ieee80211_if_free(local->mdev);
+ local->mdev = NULL;
+ }
fail_mdev_alloc:
wiphy_unregister(local->hw.wiphy);
return result;
--
1.5.3.4
From: Pavel Emelyanov <[email protected]>
Date: Sun, 04 May 2008 10:53:45 +0400
> The error path in ieee80211_register_hw() may call the unregister_netdev()
> and right after it - the free_netdev(), which is wrong, since the
> unregister releases the device itself.
>
> So the proposed fix is to NULL the local->mdev after unregister is done
> and check this before calling free_netdev().
>
> I checked - no code uses the local->mdev after unregister in this error
> path (but even if some did this would be a BUG).
>
> Signed-off-by: Pavel Emelyanov <[email protected]>
I'll take this.
Applied, thanks Pavel.