p71924506
/
linux_old1
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

at86rf230: fix race on error handling 

The resource "ctx" can be still used by at86rf230_async_state_change, we
need to free it at the complete handler of the async state change to
avoid a use after free.

Signed-off-by: Alexander Aring <aar@pengutronix.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Alexander Aring 2016-02-19 09:59:12 +01:00 committed by Marcel Holtmann
parent 07b0188adf
commit c231c5a47a
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
drivers/net/ieee802154/at86rf230.c
View File

@ -342,6 +342,18 @@ static const struct regmap_config at86rf230_regmap_spi_config = {
.precious_reg = at86rf230_reg_precious,
};
static void
at86rf230_async_error_recover_complete(void *context)
{
struct at86rf230_state_change *ctx = context;
struct at86rf230_local *lp = ctx->lp;
if (ctx->free)
kfree(ctx);
ieee802154_wake_queue(lp->hw);
}
static void
at86rf230_async_error_recover(void *context)
{
@ -349,10 +361,8 @@ at86rf230_async_error_recover(void *context)
struct at86rf230_local *lp = ctx->lp;
lp->is_tx = 0;
at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, NULL);
ieee802154_wake_queue(lp->hw);
if (ctx->free)
kfree(ctx);
at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON,
at86rf230_async_error_recover_complete);
}
static inline void