| commit | 8dd2a1e58443e9178738b13d238ca6fe8fe1d11f | [log] [tgz] |
|---|---|---|
| author | Brian Norris <[email protected]> | Thu Nov 10 18:13:55 2016 |
| committer | ChromeOS Commit Bot <[email protected]> | Fri Nov 11 02:41:40 2016 |
| tree | 80629aad41536238868d05c09a65ea7c1d039661 | |
| parent | 694dd273651d973a776d433e79ca50de0c218e4f [diff] |
CHROMIUM: mwifiex: use-after-free in mwifiex_fw_dpc() failure path We might be free'ing 'adapter' in mwifiex_free_adapter(). So grab the pointer to the parent interface's completion *before* we do that. BUG=chrome-os-partner:59655 TEST=reboot tests with slub_debug; or, artificially force FW init failure Change-Id: I3491e74a11fb73ea4f8b353fc93566e8c985e5bb Fixes: b040b947422a ("CHROMIUM: mwifiex: resolve races between async FW init (failure) and device removal") Signed-off-by: Brian Norris <[email protected]> Reviewed-on: https://chromium-review.googlesource.com/409714 Reviewed-by: Douglas Anderson <[email protected]> (cherry picked from commit a51189cccc5dd71619da7179fcebfd2e34fbe1b4) Reviewed-on: https://chromium-review.googlesource.com/410062