From: Dan Carpenter Date: Fri, 28 Nov 2014 09:43:40 +0000 (+0300) Subject: brcmsmac: NULL dereferences in brcms_c_detach_mfree() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=c0fb754bd81fafcd63644d5482ba9669d3e4fe9c;p=GitHub%2Fexynos8895%2Fandroid_kernel_samsung_universal8895.git brcmsmac: NULL dereferences in brcms_c_detach_mfree() The brcms_c_attach_malloc() function can call this with a NULL "wlc->corestate" or "wlc->hw". Also I threw in a bonus cleanup by deleting an obvious comment and a no-op NULL assignment. :) Signed-off-by: Dan Carpenter Acked-by: Arend van Spriel Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c index 738cfaca1e0f..a104d7ac3796 100644 --- a/drivers/net/wireless/brcm80211/brcmsmac/main.c +++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c @@ -445,18 +445,18 @@ static void brcms_c_detach_mfree(struct brcms_c_info *wlc) kfree(wlc->protection); kfree(wlc->stf); kfree(wlc->bandstate[0]); - kfree(wlc->corestate->macstat_snapshot); + if (wlc->corestate) + kfree(wlc->corestate->macstat_snapshot); kfree(wlc->corestate); - kfree(wlc->hw->bandstate[0]); + if (wlc->hw) + kfree(wlc->hw->bandstate[0]); kfree(wlc->hw); if (wlc->beacon) dev_kfree_skb_any(wlc->beacon); if (wlc->probe_resp) dev_kfree_skb_any(wlc->probe_resp); - /* free the wlc */ kfree(wlc); - wlc = NULL; } static struct brcms_bss_cfg *brcms_c_bsscfg_malloc(uint unit)