ath9k: RX buffers may be accessed/freed even before initialized/alloced.
authorSenthil Balasubramanian <senthilkumar@atheros.com>
Fri, 6 Mar 2009 05:54:09 +0000 (11:24 +0530)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 16 Mar 2009 22:09:30 +0000 (18:09 -0400)
accessing RXBUF list in ath_rx_cleanup may cause panic if
ath_descdma_setup fails even before RXBUF list is initialized.

Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/ath9k/main.c

index 4bc43db9ab2296006ba30cd939b1cb3fdade951c..7d9c060704b61e4620ee2f86c9fbe0400605109c 100644 (file)
@@ -1773,6 +1773,7 @@ int ath_descdma_setup(struct ath_softc *sc, struct ath_descdma *dd,
        DPRINTF(sc, ATH_DBG_CONFIG, "%s DMA: %u buffers %u desc/buf\n",
                name, nbuf, ndesc);
 
+       INIT_LIST_HEAD(head);
        /* ath_desc must be a multiple of DWORDs */
        if ((sizeof(struct ath_desc) % 4) != 0) {
                DPRINTF(sc, ATH_DBG_FATAL, "ath_desc not DWORD aligned\n");
@@ -1823,7 +1824,6 @@ int ath_descdma_setup(struct ath_softc *sc, struct ath_descdma *dd,
        }
        dd->dd_bufptr = bf;
 
-       INIT_LIST_HEAD(head);
        for (i = 0; i < nbuf; i++, bf++, ds += ndesc) {
                bf->bf_desc = ds;
                bf->bf_daddr = DS2PHYS(dd, ds);