Commit 339a7c41 authored by Pavel Emelyanov's avatar Pavel Emelyanov Committed by David S. Miller

mac80211: Do not free net device after it is unregistered.

The error path in ieee80211_register_hw() may call the unregister_netdev()
and right after it - the free_netdev(), which is wrong, since the
unregister releases the device itself.

So the proposed fix is to NULL the local->mdev after unregister is done
and check this before calling free_netdev().

I checked - no code uses the local->mdev after unregister in this error
path (but even if some did this would be a BUG).
Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e340a90e
...@@ -1766,6 +1766,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) ...@@ -1766,6 +1766,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
fail_rate: fail_rate:
ieee80211_debugfs_remove_netdev(IEEE80211_DEV_TO_SUB_IF(local->mdev)); ieee80211_debugfs_remove_netdev(IEEE80211_DEV_TO_SUB_IF(local->mdev));
unregister_netdevice(local->mdev); unregister_netdevice(local->mdev);
local->mdev = NULL;
fail_dev: fail_dev:
rtnl_unlock(); rtnl_unlock();
sta_info_stop(local); sta_info_stop(local);
...@@ -1773,8 +1774,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) ...@@ -1773,8 +1774,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
debugfs_hw_del(local); debugfs_hw_del(local);
destroy_workqueue(local->hw.workqueue); destroy_workqueue(local->hw.workqueue);
fail_workqueue: fail_workqueue:
ieee80211_if_free(local->mdev); if (local->mdev != NULL) {
local->mdev = NULL; ieee80211_if_free(local->mdev);
local->mdev = NULL;
}
fail_mdev_alloc: fail_mdev_alloc:
wiphy_unregister(local->hw.wiphy); wiphy_unregister(local->hw.wiphy);
return result; return result;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment