From: John W. Linville <linville@redhat.com>
Date: Thu, 11 Sep 2008 09:49:33 -0400
Subject: [wireless] rt2x00: avoid NULL-ptr deref when probe fails
Message-id: 20080911134932.GB12382@redhat.com
O-Subject: [RHEL5 patch] rt2x00: avoid NULL-pointer deref when probe fails
Bugzilla: 448763
RH-Acked-by: David Miller <davem@redhat.com>

On Mon, Aug 18, 2008 at 04:50:34PM -0400, John W. Linville wrote:
> Add rt2x00 drivers backported from 2.6.26.
>
> BZ448763
>
> Tested by me and some people.redhat.com watchers, with good results.

rt2500usb and rt73usb have some PCI ID overlap.  They each have code
in their probe paths that determines whether or not the driver in
question can support the available hardware.

Unfortunately, the error path in the probe routines has a NULL pointer
dereference.  So if the wrong driver gets loaded first...*splat*...

I think upstream has the same issue, so I'll push this there as well.

John

diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
index b6c5922..a6ac62f 100644
--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
@@ -1203,8 +1203,10 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
 	 * Stop all queued work. Note that most tasks will already be halted
 	 * during rt2x00lib_disable_radio() and rt2x00lib_uninitialize().
 	 */
-	flush_workqueue(rt2x00dev->workqueue);
-	destroy_workqueue(rt2x00dev->workqueue);
+	if (rt2x00dev->workqueue) {
+		flush_workqueue(rt2x00dev->workqueue);
+		destroy_workqueue(rt2x00dev->workqueue);
+	}
 
 	/*
 	 * Free ieee80211_hw memory.