uwb: remove beacon cache entry after calling uwb_notify()
Stefano Panella [Tue, 23 Dec 2008 12:31:09 +0000 (12:31 +0000)]
Removing the beacon cache entry from a uwb_dev can cause an oops if the
bce is released before the call to uwb_notify().

Signed-off-by: Stefano Panella <stefano.panella@csr.com>
Signed-off-by: David Vrabel <david.vrabel@csr.com>

drivers/uwb/beacon.c
drivers/uwb/lc-dev.c

index 0315093..36bc315 100644 (file)
@@ -289,8 +289,6 @@ void uwb_beca_purge(struct uwb_rc *rc)
                expires = bce->ts_jiffies + msecs_to_jiffies(beacon_timeout_ms);
                if (time_after(jiffies, expires)) {
                        uwbd_dev_offair(bce);
-                       list_del(&bce->node);
-                       uwb_bce_put(bce);
                }
        }
        mutex_unlock(&rc->uwb_beca.mutex);
index f78087b..e9fe1bb 100644 (file)
@@ -375,6 +375,8 @@ int __uwb_dev_offair(struct uwb_dev *uwb_dev, struct uwb_rc *rc)
                 rc ? rc->uwb_dev.dev.parent->bus->name : "n/a",
                 rc ? dev_name(rc->uwb_dev.dev.parent) : "");
        uwb_dev_rm(uwb_dev);
+       list_del(&uwb_dev->bce->node);
+       uwb_bce_put(uwb_dev->bce);
        uwb_dev_put(uwb_dev);   /* for the creation in _onair() */
 
        return 0;