Linux-Wireless Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] libertas: Fix a double free in if_spi_c2h_data()
@ 2019-06-26 10:09 Dan Carpenter
  2019-06-26 13:16 ` Dan Williams
  0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2019-06-26 10:09 UTC (permalink / raw)
  To: Kalle Valo, Philip Rakity
  Cc: Allison Randal, Lubomir Rintel, libertas-dev, linux-wireless,
	kernel-janitors

The lbs_process_rxed_packet() frees the skb.  It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/net/wireless/marvell/libertas/if_spi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83f..e38f02d1f2e4 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -772,7 +772,7 @@ static int if_spi_c2h_data(struct if_spi_card *card)
 	/* pass the SKB to libertas */
 	err = lbs_process_rxed_packet(card->priv, skb);
 	if (err)
-		goto free_skb;
+		goto out;  /* lbs_process_rxed_packet() frees skb */
 
 	/* success */
 	goto out;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] libertas: Fix a double free in if_spi_c2h_data()
  2019-06-26 10:09 [PATCH] libertas: Fix a double free in if_spi_c2h_data() Dan Carpenter
@ 2019-06-26 13:16 ` Dan Williams
  2019-06-26 13:23   ` Dan Carpenter
  0 siblings, 1 reply; 8+ messages in thread
From: Dan Williams @ 2019-06-26 13:16 UTC (permalink / raw)
  To: Dan Carpenter, Kalle Valo, Philip Rakity
  Cc: Lubomir Rintel, kernel-janitors, linux-wireless, Allison Randal,
	libertas-dev

On Wed, 2019-06-26 at 13:09 +0300, Dan Carpenter wrote:
> The lbs_process_rxed_packet() frees the skb.  It didn't originally,
> but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on
> receive
> error").
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
>  drivers/net/wireless/marvell/libertas/if_spi.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c
> b/drivers/net/wireless/marvell/libertas/if_spi.c
> index 27067e79e83f..e38f02d1f2e4 100644
> --- a/drivers/net/wireless/marvell/libertas/if_spi.c
> +++ b/drivers/net/wireless/marvell/libertas/if_spi.c
> @@ -772,7 +772,7 @@ static int if_spi_c2h_data(struct if_spi_card
> *card)
>  	/* pass the SKB to libertas */
>  	err = lbs_process_rxed_packet(card->priv, skb);
>  	if (err)
> -		goto free_skb;
> +		goto out;  /* lbs_process_rxed_packet() frees skb */
>  
>  	/* success */
>  	goto out;

It can be further simplified (not compile tested yet):

diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..072da89c4986f 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
 
 	/* Read the data from the WLAN module into our skb... */
 	err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
-	if (err)
-		goto free_skb;
+	if (err) {
+		dev_kfree_skb(skb);
+		goto out
+	}
 
 	/* pass the SKB to libertas */
 	err = lbs_process_rxed_packet(card->priv, skb);
-	if (err)
-		goto free_skb;
+	/* lbs_process_rxed_packet() consumes the skb */
 
-	/* success */
-	goto out;
-
-free_skb:
-	dev_kfree_skb(skb);
 out:
 	if (err)
 		netdev_err(priv->dev, "%s: err=%d\n", __func__, err);


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] libertas: Fix a double free in if_spi_c2h_data()
  2019-06-26 13:16 ` Dan Williams
@ 2019-06-26 13:23   ` Dan Carpenter
  2019-06-26 16:02     ` Dan Williams
  0 siblings, 1 reply; 8+ messages in thread
From: Dan Carpenter @ 2019-06-26 13:23 UTC (permalink / raw)
  To: Dan Williams
  Cc: Kalle Valo, Philip Rakity, Lubomir Rintel, kernel-janitors,
	linux-wireless, Allison Randal, libertas-dev

Yeah.  That looks nicer.  Could you send it as a proper patch and give
me Reported-by credit?

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH] libertas: Fix a double free in if_spi_c2h_data()
  2019-06-26 13:23   ` Dan Carpenter
@ 2019-06-26 16:02     ` Dan Williams
  2019-07-05 16:42       ` [PATCH v2] " Dan Williams
  0 siblings, 1 reply; 8+ messages in thread
From: Dan Williams @ 2019-06-26 16:02 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Philip Rakity, libertas-dev, kernel-janitors, linux-wireless,
	Lubomir Rintel, Kalle Valo, Allison Randal

On Wed, 2019-06-26 at 16:23 +0300, Dan Carpenter wrote:
> Yeah.  That looks nicer.  Could you send it as a proper patch and
> give
> me Reported-by credit?

Will do.

Dan


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] libertas: Fix a double free in if_spi_c2h_data()
  2019-06-26 16:02     ` Dan Williams
@ 2019-07-05 16:42       ` " Dan Williams
  2019-07-24 11:46         ` Kalle Valo
  2019-07-24 14:38         ` [PATCH v3] " Dan Williams
  0 siblings, 2 replies; 8+ messages in thread
From: Dan Williams @ 2019-07-05 16:42 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Philip Rakity, libertas-dev, kernel-janitors, linux-wireless,
	Lubomir Rintel, Allison Randal, Dan Carpenter

The lbs_process_rxed_packet() frees the skb.  It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
---
 drivers/net/wireless/marvell/libertas/if_spi.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..072da89c4986f 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
 
 	/* Read the data from the WLAN module into our skb... */
 	err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
-	if (err)
-		goto free_skb;
+	if (err) {
+		dev_kfree_skb(skb);
+		goto out
+	}
 
 	/* pass the SKB to libertas */
 	err = lbs_process_rxed_packet(card->priv, skb);
-	if (err)
-		goto free_skb;
+	/* lbs_process_rxed_packet() consumes the skb */
 
-	/* success */
-	goto out;
-
-free_skb:
-	dev_kfree_skb(skb);
 out:
 	if (err)
 		netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] libertas: Fix a double free in if_spi_c2h_data()
  2019-07-05 16:42       ` [PATCH v2] " Dan Williams
@ 2019-07-24 11:46         ` Kalle Valo
  2019-07-24 14:38         ` [PATCH v3] " Dan Williams
  1 sibling, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2019-07-24 11:46 UTC (permalink / raw)
  To: Dan Williams
  Cc: Philip Rakity, libertas-dev, kernel-janitors, linux-wireless,
	Lubomir Rintel, Allison Randal, Dan Carpenter

Dan Williams <dcbw@redhat.com> wrote:

> The lbs_process_rxed_packet() frees the skb.  It didn't originally, but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
> error").
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Dan Williams <dcbw@redhat.com>

Failed to compile:

drivers/net/wireless/marvell/libertas/if_spi.c: In function 'if_spi_c2h_data':
drivers/net/wireless/marvell/libertas/if_spi.c:771:11: error: expected ';' before '}' token
   goto out
           ^
           ;
  }
  ~         
make[5]: *** [drivers/net/wireless/marvell/libertas/if_spi.o] Error 1
make[4]: *** [drivers/net/wireless/marvell/libertas] Error 2
make[3]: *** [drivers/net/wireless/marvell] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [drivers/net/wireless] Error 2
make[1]: *** [drivers/net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [drivers] Error 2

Patch set to Changes Requested.

-- 
https://patchwork.kernel.org/patch/11033059/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v3] libertas: Fix a double free in if_spi_c2h_data()
  2019-07-05 16:42       ` [PATCH v2] " Dan Williams
  2019-07-24 11:46         ` Kalle Valo
@ 2019-07-24 14:38         ` " Dan Williams
  2019-08-06 12:36           ` Kalle Valo
  1 sibling, 1 reply; 8+ messages in thread
From: Dan Williams @ 2019-07-24 14:38 UTC (permalink / raw)
  To: Kalle Valo
  Cc: Philip Rakity, libertas-dev, kernel-janitors, linux-wireless,
	Lubomir Rintel, Dan Carpenter, Allison Randal

The lbs_process_rxed_packet() frees the skb.  It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
---

Kalle: sorry about the build error; previous version of the patch before I fixed it.
Here's the correct one.

 drivers/net/wireless/marvell/libertas/if_spi.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..d07fe82c557e8 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
 
 	/* Read the data from the WLAN module into our skb... */
 	err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
-	if (err)
-		goto free_skb;
+	if (err) {
+		dev_kfree_skb(skb);
+		goto out;
+	}
 
 	/* pass the SKB to libertas */
 	err = lbs_process_rxed_packet(card->priv, skb);
-	if (err)
-		goto free_skb;
+	/* lbs_process_rxed_packet() consumes the skb */
 
-	/* success */
-	goto out;
-
-free_skb:
-	dev_kfree_skb(skb);
 out:
 	if (err)
 		netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] libertas: Fix a double free in if_spi_c2h_data()
  2019-07-24 14:38         ` [PATCH v3] " Dan Williams
@ 2019-08-06 12:36           ` Kalle Valo
  0 siblings, 0 replies; 8+ messages in thread
From: Kalle Valo @ 2019-08-06 12:36 UTC (permalink / raw)
  To: Dan Williams
  Cc: Philip Rakity, libertas-dev, kernel-janitors, linux-wireless,
	Lubomir Rintel, Dan Carpenter, Allison Randal

Dan Williams <dcbw@redhat.com> wrote:

> The lbs_process_rxed_packet() frees the skb.  It didn't originally, but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
> error").
> 
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Dan Williams <dcbw@redhat.com>

Patch applied to wireless-drivers-next.git, thanks.

3915a252ce71 libertas: Fix a double free in if_spi_c2h_data()

-- 
https://patchwork.kernel.org/patch/11057049/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-26 10:09 [PATCH] libertas: Fix a double free in if_spi_c2h_data() Dan Carpenter
2019-06-26 13:16 ` Dan Williams
2019-06-26 13:23   ` Dan Carpenter
2019-06-26 16:02     ` Dan Williams
2019-07-05 16:42       ` [PATCH v2] " Dan Williams
2019-07-24 11:46         ` Kalle Valo
2019-07-24 14:38         ` [PATCH v3] " Dan Williams
2019-08-06 12:36           ` Kalle Valo

Linux-Wireless Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wireless/0 linux-wireless/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wireless linux-wireless/ https://lore.kernel.org/linux-wireless \
		linux-wireless@vger.kernel.org linux-wireless@archiver.kernel.org
	public-inbox-index linux-wireless


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wireless


AGPL code for this site: git clone https://public-inbox.org/ public-inbox