summaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless/mwifiex
diff options
context:
space:
mode:
authorAmitkumar Karwar <akarwar@marvell.com>2013-07-30 17:18:15 -0700
committerJohn W. Linville <linville@tuxdriver.com>2013-08-01 15:34:35 -0400
commitc3afd99fb5adfb31925f0b493a0d4152cd6447cc (patch)
treeab32f800a9ef13b1a328018232ed8fa1639b45cd /drivers/net/wireless/mwifiex
parent7546ff95499781306e8fd7d84ae38b84be961364 (diff)
mwifiex: fix adapter pointer dereference issue
It has introduced by recent commit 6b41f941d7cd: "mwifiex: handle driver initialization error paths" which adds error path handling for mwifiex_fw_dpc(). release_firmware(adapter->*) is called for success as well as failure paths. In failure paths, adapter is already freed at this point. The issue is fixed by moving mwifiex_free_adapter() call. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/mwifiex')
-rw-r--r--drivers/net/wireless/mwifiex/main.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c
index 5644c7f86fc..3402bffdd01 100644
--- a/drivers/net/wireless/mwifiex/main.c
+++ b/drivers/net/wireless/mwifiex/main.c
@@ -414,6 +414,8 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
struct mwifiex_private *priv;
struct mwifiex_adapter *adapter = context;
struct mwifiex_fw_image fw;
+ struct semaphore *sem = adapter->card_sem;
+ bool init_failed = false;
if (!firmware) {
dev_err(adapter->dev,
@@ -528,15 +530,20 @@ err_dnld_fw:
}
adapter->surprise_removed = true;
mwifiex_terminate_workqueue(adapter);
- mwifiex_free_adapter(adapter);
+ init_failed = true;
done:
if (adapter->cal_data) {
release_firmware(adapter->cal_data);
adapter->cal_data = NULL;
}
- release_firmware(adapter->firmware);
+ if (adapter->firmware) {
+ release_firmware(adapter->firmware);
+ adapter->firmware = NULL;
+ }
complete(&adapter->fw_load);
- up(adapter->card_sem);
+ if (init_failed)
+ mwifiex_free_adapter(adapter);
+ up(sem);
return;
}