• Ming Lei's avatar
    wireless: ath9k-htc: fix possible use after free · e962610f
    Ming Lei authored
    Inside ath9k_hif_usb_firmware_fail(), the instance of
    'struct struct hif_device_usb' may be freed by
    ath9k_hif_usb_disconnect() after
    
    	complete(&hif_dev->fw_done);
    
    But 'hif_dev' is still accessed after the line code
    above is executed.
    
    This patch fixes the issue by not accessing 'hif_dev'
    after 'complete(&hif_dev->fw_done)' inside
    ath9k_hif_usb_firmware_fail().
    
    Cc: ath9k-devel@lists.ath9k.org
    Cc: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
    Cc: Jouni Malinen <jouni@qca.qualcomm.com>
    Cc: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
    Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
    Cc: "John W. Linville" <linville@tuxdriver.com>
    Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
    Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
    e962610f
hif_usb.c 30.9 KB