2019-10-26 04:54:57

by Navid Emamdoost

[permalink] [raw]
Subject: [PATCH] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle

In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
buffer for cmd should be released before returning. The
documentation for i2400m_msg_to_dev() says when it returns the buffer
can be reused. Meaning cmd should be released in either case. Move
kfree(cmd) before return to be reached by all execution paths.

Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
Signed-off-by: Navid Emamdoost <[email protected]>
---
drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wimax/i2400m/op-rfkill.c b/drivers/net/wimax/i2400m/op-rfkill.c
index 8efb493ceec2..5c79f052cad2 100644
--- a/drivers/net/wimax/i2400m/op-rfkill.c
+++ b/drivers/net/wimax/i2400m/op-rfkill.c
@@ -127,12 +127,12 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
"%d\n", result);
result = 0;
error_cmd:
- kfree(cmd);
kfree_skb(ack_skb);
error_msg_to_dev:
error_alloc:
d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
wimax_dev, state, result);
+ kfree(cmd);
return result;
}

--
2.17.1


2019-10-26 18:15:03

by Markus Elfring

[permalink] [raw]
Subject: Re: [PATCH] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle

> Move kfree(cmd) before return to be reached by all execution paths.

I suggest to reconsider this change suggestion once more.


> Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")

I find it interesting that you would like to fix your commit from 2019-09-10.
https://lore.kernel.org/patchwork/patch/1126399/

Will it be helpful to refer also to the commit 024f7f31ed15c471f80408d8b5045497e27e1135
("i2400m: Generic probe/disconnect, reset and message passing" from 2009-01-07)?


> +++ b/drivers/net/wimax/i2400m/op-rfkill.c
> @@ -127,12 +127,12 @@ int i2400m_op_rfkill_sw_toggle(struct wimax_dev *wimax_dev,
> "%d\n", result);
> result = 0;
> error_cmd:
> - kfree(cmd);
> kfree_skb(ack_skb);
> error_msg_to_dev:
> error_alloc:
> d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
> wimax_dev, state, result);
> + kfree(cmd);
> return result;
> }


I would prefer to improve the exception handling like the following.
(Would you like to avoid passing a null pointer at the end?)

-error_cmd:
+free_skb:
- kfree(cmd);
kfree_skb(ack_skb);
-error_msg_to_dev:
+free_cmd:
+ kfree(cmd);
-error_alloc:
+exit:


How do you think about this update variant?

Regards,
Markus

2019-10-29 23:23:01

by David Miller

[permalink] [raw]
Subject: Re: [PATCH] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle

From: Navid Emamdoost <[email protected]>
Date: Fri, 25 Oct 2019 23:53:30 -0500

> In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
> buffer for cmd should be released before returning. The
> documentation for i2400m_msg_to_dev() says when it returns the buffer
> can be reused. Meaning cmd should be released in either case. Move
> kfree(cmd) before return to be reached by all execution paths.
>
> Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
> Signed-off-by: Navid Emamdoost <[email protected]>

Applied.