2006-03-15 02:51:05

by Eugene Teo

[permalink] [raw]
Subject: Fix hostap_cs double kfree

prism2_config() kfree's twice if kmalloc fails.

Coverity bug #930

Signed-off-by: Eugene Teo <[email protected]>

--- linux-2.6/drivers/net/wireless/hostap/hostap_cs.c~ 2006-03-15 10:05:36.000000000 +0800
+++ linux-2.6/drivers/net/wireless/hostap/hostap_cs.c 2006-03-15 10:24:53.000000000 +0800
@@ -585,8 +585,6 @@
parse = kmalloc(sizeof(cisparse_t), GFP_KERNEL);
hw_priv = kmalloc(sizeof(*hw_priv), GFP_KERNEL);
if (parse == NULL || hw_priv == NULL) {
- kfree(parse);
- kfree(hw_priv);
ret = -ENOMEM;
goto failed;
}
@@ -783,8 +781,10 @@
cs_error(link->handle, last_fn, last_ret);

failed:
- kfree(parse);
- kfree(hw_priv);
+ if (parse)
+ kfree(parse);
+ if (hw_priv)
+ kfree(hw_priv);
prism2_release((u_long)link);
return ret;
}

--
1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }


2006-03-15 03:05:29

by Felipe W Damasio

[permalink] [raw]
Subject: Re: Fix hostap_cs double kfree

Hi Eugene,

Eugene Teo wrote:

> failed:
>- kfree(parse);
>- kfree(hw_priv);
>+ if (parse)
>+ kfree(parse);
>+ if (hw_priv)
>+ kfree(hw_priv);
> prism2_release((u_long)link);
> return ret;
> }
>
>
I don't think those if's are needed, since the kfree code already does:

void kfree(const void *objp)
{
if (unlikely(!objp))
return;
...
}

But if you really want to use it, I suggest using if (likely
(!<pointer>)) there to hint gcc of a possible optimization.

Cheers,

Felipe Damasio

2006-03-15 03:17:55

by Jouni Malinen

[permalink] [raw]
Subject: Re: Fix hostap_cs double kfree

On Wed, Mar 15, 2006 at 10:39:00AM +0800, Eugene Teo wrote:
> prism2_config() kfree's twice if kmalloc fails.
>
> Coverity bug #930

Thanks. I'm going through the issues related to Host AP driver in
Coverity database and send a set of patches after some testing.

> --- linux-2.6/drivers/net/wireless/hostap/hostap_cs.c~ 2006-03-15 10:05:36.000000000 +0800
> +++ linux-2.6/drivers/net/wireless/hostap/hostap_cs.c 2006-03-15 10:24:53.000000000 +0800
> @@ -585,8 +585,6 @@
> parse = kmalloc(sizeof(cisparse_t), GFP_KERNEL);
> hw_priv = kmalloc(sizeof(*hw_priv), GFP_KERNEL);
> if (parse == NULL || hw_priv == NULL) {
> - kfree(parse);
> - kfree(hw_priv);
> ret = -ENOMEM;
> goto failed;
> }

This is a valid fix..

> @@ -783,8 +781,10 @@
> cs_error(link->handle, last_fn, last_ret);
>
> failed:
> - kfree(parse);
> - kfree(hw_priv);
> + if (parse)
> + kfree(parse);
> + if (hw_priv)
> + kfree(hw_priv);
> prism2_release((u_long)link);
> return ret;

.. but this is not.

--
Jouni Malinen PGP id EFC895FA

2006-03-15 04:01:58

by Eugene Teo

[permalink] [raw]
Subject: Re: Fix hostap_cs double kfree

<quote sender="Felipe W Damasio">
> Eugene Teo wrote:
>
> > failed:
> >- kfree(parse);
> >- kfree(hw_priv);
> >+ if (parse)
> >+ kfree(parse);
> >+ if (hw_priv)
> >+ kfree(hw_priv);
>
> I don't think those if's are needed, since the kfree code already does:
>
> void kfree(const void *objp)
> {
> if (unlikely(!objp))
> return;
> ...
> }
>
> But if you really want to use it, I suggest using if (likely
> (!<pointer>)) there to hint gcc of a possible optimization.

Ah, thanks for the tip.

Eugene
--
1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }

2006-03-15 06:44:12

by Eugene Teo

[permalink] [raw]
Subject: Re: Fix hostap_cs double kfree

<quote sender="Jouni Malinen">
> On Wed, Mar 15, 2006 at 10:39:00AM +0800, Eugene Teo wrote:
> > prism2_config() kfree's twice if kmalloc fails.
> >
> > Coverity bug #930
>
> Thanks. I'm going through the issues related to Host AP driver in
> Coverity database and send a set of patches after some testing.

Ok, here's a resend. Thanks.

Eugene

--
prism2_config() kfree's twice if kmalloc fails.

Coverity bug #930

Signed-off-by: Eugene Teo <[email protected]>

--- linux-2.6/drivers/net/wireless/hostap/hostap_cs.c~ 2006-03-15 10:05:36.000000000 +0800
+++ linux-2.6/drivers/net/wireless/hostap/hostap_cs.c 2006-03-15 14:38:54.000000000 +0800
@@ -585,8 +585,6 @@
parse = kmalloc(sizeof(cisparse_t), GFP_KERNEL);
hw_priv = kmalloc(sizeof(*hw_priv), GFP_KERNEL);
if (parse == NULL || hw_priv == NULL) {
- kfree(parse);
- kfree(hw_priv);
ret = -ENOMEM;
goto failed;
}

--
1024D/A6D12F80 print D51D 2633 8DAC 04DB 7265 9BB8 5883 6DAA A6D1 2F80
main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); }