From c3afd99fb5adfb31925f0b493a0d4152cd6447cc Mon Sep 17 00:00:00 2001 From: Amitkumar Karwar Date: Tue, 30 Jul 2013 17:18:15 -0700 Subject: mwifiex: fix adapter pointer dereference issue It has introduced by recent commit 6b41f941d7cd: "mwifiex: handle driver initialization error paths" which adds error path handling for mwifiex_fw_dpc(). release_firmware(adapter->*) is called for success as well as failure paths. In failure paths, adapter is already freed at this point. The issue is fixed by moving mwifiex_free_adapter() call. Reported-by: Dan Carpenter Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c index 5644c7f..3402bff 100644 --- a/drivers/net/wireless/mwifiex/main.c +++ b/drivers/net/wireless/mwifiex/main.c @@ -414,6 +414,8 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context) struct mwifiex_private *priv; struct mwifiex_adapter *adapter = context; struct mwifiex_fw_image fw; + struct semaphore *sem = adapter->card_sem; + bool init_failed = false; if (!firmware) { dev_err(adapter->dev, @@ -528,15 +530,20 @@ err_dnld_fw: } adapter->surprise_removed = true; mwifiex_terminate_workqueue(adapter); - mwifiex_free_adapter(adapter); + init_failed = true; done: if (adapter->cal_data) { release_firmware(adapter->cal_data); adapter->cal_data = NULL; } - release_firmware(adapter->firmware); + if (adapter->firmware) { + release_firmware(adapter->firmware); + adapter->firmware = NULL; + } complete(&adapter->fw_load); - up(adapter->card_sem); + if (init_failed) + mwifiex_free_adapter(adapter); + up(sem); return; } -- cgit v0.10.2