git.baikalelectronics.ru Git - kernel.git/commit

author	Arend Van Spriel <arend.vanspriel@broadcom.com>
	Sat, 24 Jun 2017 21:08:27 +0000 (22:08 +0100)
committer	Kalle Valo <kvalo@codeaurora.org>
	Tue, 27 Jun 2017 14:13:57 +0000 (17:13 +0300)
commit	e03bf065f55587ad98ed187d008d36861a00b1c2
tree	f818ed0d189e323f488c04b57b8e533df1cd1cb5	tree \| snapshot
parent	7110dd8beec0bd008fe000e705195cfad82abab7	commit \| diff

brcmfmac: fix double free upon register_netdevice() failure

The function brcmf_net_attach() can only fail when register_netdevice()
fails. When this happens register_netdevice() calls priv_destructor, ie.
brcmf_cfg80211_free_netdev() freeing the vif instance. Also upon this
failure brcmf_net_attach() calls free_netdev(). However, callers are also
doing cleanup resulting in double free. In some places they need netdev
private space as it holds parameters to communicate with the device. So
we want to do the cleanup only in callers of brcmf_net_attach() by making
the following changes:

- set priv_destructor after register_netdevice() succeeds.
- remove call to free_netdev() in brcmf_net_attach().
- call free_netdev() in brcmf_net_detach() for unregistered netdev.
- add free_netdev() if brcmf_net_attach() fails for a created interface.

Fixes: 4ec503a11a56 ("net: Fix inconsistent teardown and release of private netdev state.")
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c		diff \| blob \| history
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c		diff \| blob \| history
drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c		diff \| blob \| history