projects / deliverable / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
zd1211rw: fix potential use-after-free bug
[deliverable/linux.git] / drivers / net / wireless / zd1211rw / zd_usb.c
diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
index 5316074f39f0b0c28e73ace87813ecb0e3883ef6..12e24f04dddfcd48aa65526dfe94bbd5beab5c83 100644 (file)
--- a/drivers/net/wireless/zd1211rw/zd_usb.c
+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
@@ -889,9 +889,13 @@ static void tx_urb_complete(struct urb *urb)
        }
 free_urb:
        skb = (struct sk_buff *)urb->context;
-       zd_mac_tx_to_dev(skb, urb->status);
+       /*
+        * grab 'usb' pointer before handing off the skb (since
+        * it might be freed by zd_mac_tx_to_dev or mac80211)
+        */
        cb = (struct zd_tx_skb_control_block *)skb->cb;
        usb = &zd_hw_mac(cb->hw)->chip.usb;
+       zd_mac_tx_to_dev(skb, urb->status);
        free_tx_urb(usb, urb);
        tx_dec_submitted_urbs(usb);
        return;
Linux kernel - Deliverables
This page took 0.03876 seconds and 5 git commands to generate.