When the TX FIFO filled up and i2400m_tx_new() failed to allocate a new TX message header, a missing check for said condition was causing a kernel oops when trying to dereference a NULL i2400m->tx_msg pointer.
Found and diagnosed by Cindy H. Kao. Signed-off-by: Inaky Perez-Gonzalez <[email protected]> --- drivers/net/wimax/i2400m/tx.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c index 4295dcf..fa16ccf 100644 --- a/drivers/net/wimax/i2400m/tx.c +++ b/drivers/net/wimax/i2400m/tx.c @@ -653,6 +653,8 @@ try_new: i2400m_tx_close(i2400m); i2400m_tx_new(i2400m); } + if (i2400m->tx_msg == NULL) + goto error_tx_new; if (i2400m->tx_msg->size + padded_len > I2400M_TX_BUF_SIZE / 2) { d_printf(2, dev, "TX: message too big, going new\n"); i2400m_tx_close(i2400m); -- 1.6.2.3 _______________________________________________ wimax mailing list [email protected] http://lists.linuxwimax.org/listinfo/wimax
