Return-path: Received: from mfe1.polimi.it ([131.175.12.23]:49827 "EHLO polimi.it" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753069AbYAMRmB (ORCPT ); Sun, 13 Jan 2008 12:42:01 -0500 Date: Sun, 13 Jan 2008 18:35:52 +0100 From: Stefano Brivio To: "John W. Linville" Cc: linux-wireless@vger.kernel.org, bcm43xx-dev@lists.berlios.de, David Woodhouse Subject: [PATCH] b43legacy: fix use-after-free rfkill bug Message-ID: <20080113183552.17885131@morte> (sfid-20080113_174205_804708_AFE2C853) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-wireless-owner@vger.kernel.org List-ID: Fix rfkill code which caused a use-after-free bug. Thanks to David Woodhouse for spotting this out. Cc: David Woodhouse Signed-off-by: Stefano Brivio --- Index: wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c =================================================================== --- wireless-2.6.orig/drivers/net/wireless/b43legacy/rfkill.c +++ wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c @@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43leg rfk->rfkill->user_claim_unsupported = 1; rfk->poll_dev = input_allocate_polled_device(); - if (!rfk->poll_dev) - goto err_free_rfk; + if (!rfk->poll_dev) { + rfkill_free(rfk->rfkill); + goto err_freed_rfk; + } + rfk->poll_dev->private = dev; rfk->poll_dev->poll = b43legacy_rfkill_poll; rfk->poll_dev->poll_interval = 1000; /* msecs */ @@ -178,8 +181,7 @@ err_unreg_rfk: err_free_polldev: input_free_polled_device(rfk->poll_dev); rfk->poll_dev = NULL; -err_free_rfk: - rfkill_free(rfk->rfkill); +err_freed_rfk: rfk->rfkill = NULL; out_error: rfk->registered = 0; @@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43leg rfkill_unregister(rfk->rfkill); input_free_polled_device(rfk->poll_dev); rfk->poll_dev = NULL; - rfkill_free(rfk->rfkill); rfk->rfkill = NULL; } -- Ciao Stefano