The 'rt2x00lib_probe_dev' function tries to
allocate the workqueue. If the allocation
fails, 'rt2x00_lib_remove_dev' is called on
the error path. Because 'rt2x00dev->workqueue'
is NULL in this case, the 'destroy_workqueue'
call will cause a NULL pointer dereference.
Signed-off-by: Gabor Juhos <[email protected]>
---
drivers/net/wireless/rt2x00/rt2x00dev.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index bae5b01..d62e64f 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1232,7 +1232,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
cancel_work_sync(&rt2x00dev->rxdone_work);
cancel_work_sync(&rt2x00dev->txdone_work);
}
- destroy_workqueue(rt2x00dev->workqueue);
+ if (rt2x00dev->workqueue)
+ destroy_workqueue(rt2x00dev->workqueue);
/*
* Free the tx status fifo.
--
1.7.2.1
On 16 feb. 2012, at 20:44, Gabor Juhos <[email protected]> wrote:
> The 'rt2x00lib_probe_dev' function tries to
> allocate the workqueue. If the allocation
> fails, 'rt2x00_lib_remove_dev' is called on
> the error path. Because 'rt2x00dev->workqueue'
> is NULL in this case, the 'destroy_workqueue'
> call will cause a NULL pointer dereference.
>
> Signed-off-by: Gabor Juhos <[email protected]>
Good catch.
Acked-by: Gertjan van Wingerde <[email protected]>
> ---
> drivers/net/wireless/rt2x00/rt2x00dev.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> index bae5b01..d62e64f 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> @@ -1232,7 +1232,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
> cancel_work_sync(&rt2x00dev->rxdone_work);
> cancel_work_sync(&rt2x00dev->txdone_work);
> }
> - destroy_workqueue(rt2x00dev->workqueue);
> + if (rt2x00dev->workqueue)
> + destroy_workqueue(rt2x00dev->workqueue);
>
> /*
> * Free the tx status fifo.
> --
> 1.7.2.1
>
>
> _______________________________________________
> users mailing list
> [email protected]
> http://rt2x00.serialmonkey.com/mailman/listinfo/users_rt2x00.serialmonkey.com
On Thu, Feb 16, 2012 at 8:44 PM, Gabor Juhos <[email protected]> wrote:
> The 'rt2x00lib_probe_dev' function tries to
> allocate the workqueue. If the allocation
> fails, 'rt2x00_lib_remove_dev' is called on
> the error path. Because 'rt2x00dev->workqueue'
> is NULL in this case, the 'destroy_workqueue'
> call will cause a NULL pointer dereference.
>
> Signed-off-by: Gabor Juhos <[email protected]>
Acked-by: Ivo van Doorn <[email protected]>
> ---
> ?drivers/net/wireless/rt2x00/rt2x00dev.c | ? ?3 ++-
> ?1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
> index bae5b01..d62e64f 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00dev.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
> @@ -1232,7 +1232,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
> ? ? ? ? ? ? ? ?cancel_work_sync(&rt2x00dev->rxdone_work);
> ? ? ? ? ? ? ? ?cancel_work_sync(&rt2x00dev->txdone_work);
> ? ? ? ?}
> - ? ? ? destroy_workqueue(rt2x00dev->workqueue);
> + ? ? ? if (rt2x00dev->workqueue)
> + ? ? ? ? ? ? ? destroy_workqueue(rt2x00dev->workqueue);
>
> ? ? ? ?/*
> ? ? ? ? * Free the tx status fifo.
> --
> 1.7.2.1
>