From 517ff43146b17a0d067125f098f675d1e0ac2d82 Mon Sep 17 00:00:00 2001 From: Daniel Drake Date: Wed, 24 Nov 2010 16:00:49 +0000 Subject: libertas: fix memory corruption in lbs_remove_card() "priv" is stored at the end of the wiphy structure, which is freed during the call to lbs_cfg_free(). It must not be touched afterwards. Remove the unnecessary NULL assignment causing this memory corruption. Signed-off-by: Daniel Drake Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/main.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'drivers/net/wireless/libertas') diff --git a/drivers/net/wireless/libertas/main.c b/drivers/net/wireless/libertas/main.c index 46b88b118c99..fcd1bbfc632d 100644 --- a/drivers/net/wireless/libertas/main.c +++ b/drivers/net/wireless/libertas/main.c @@ -915,8 +915,6 @@ void lbs_remove_card(struct lbs_private *priv) lbs_free_adapter(priv); lbs_cfg_free(priv); - - priv->dev = NULL; free_netdev(dev); lbs_deb_leave(LBS_DEB_MAIN); -- cgit v1.2.3 From 16ccdf0dbc84b11bc8b7fdbad66804d06a683554 Mon Sep 17 00:00:00 2001 From: Sven Neumann Date: Wed, 24 Nov 2010 16:02:00 +0000 Subject: libertas: fix invalid access card->priv must not be accessed after lbs_remove_card() was called as lbs_remove_card() frees card->priv via free_netdev(). For libertas_sdio this is a regression introduced by 23b149c1890f9. The correct fix to the issue described there is simply to remove the assignment. This flag is set at the appropriate time inside lbs_remove_card anyway. Reported-by: Daniel Drake Signed-off-by: Sven Neumann Signed-off-by: Daniel Drake Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/if_sdio.c | 1 - drivers/net/wireless/libertas/if_spi.c | 1 - 2 files changed, 2 deletions(-) (limited to 'drivers/net/wireless/libertas') diff --git a/drivers/net/wireless/libertas/if_sdio.c b/drivers/net/wireless/libertas/if_sdio.c index e5685dc317a8..b4de0ca10feb 100644 --- a/drivers/net/wireless/libertas/if_sdio.c +++ b/drivers/net/wireless/libertas/if_sdio.c @@ -1170,7 +1170,6 @@ static void if_sdio_remove(struct sdio_func *func) lbs_deb_sdio("call remove card\n"); lbs_stop_card(card->priv); lbs_remove_card(card->priv); - card->priv->surpriseremoved = 1; flush_workqueue(card->workqueue); destroy_workqueue(card->workqueue); diff --git a/drivers/net/wireless/libertas/if_spi.c b/drivers/net/wireless/libertas/if_spi.c index 79bcb4e5d2ca..ecd4d04b2c3c 100644 --- a/drivers/net/wireless/libertas/if_spi.c +++ b/drivers/net/wireless/libertas/if_spi.c @@ -1055,7 +1055,6 @@ static int __devexit libertas_spi_remove(struct spi_device *spi) lbs_stop_card(priv); lbs_remove_card(priv); /* will call free_netdev */ - priv->surpriseremoved = 1; free_irq(spi->irq, card); if_spi_terminate_spi_thread(card); if (card->pdata->teardown) -- cgit v1.2.3