LinuxLists.cc - [PATCH] net: brcmfmac: fix potential resource leak in brcmf_usb_probe

2022-11-20 10:49:35

Subject: [PATCH] net: brcmfmac: fix potential resource leak in brcmf_usb_probe_phase2()

brcmf_usb_probe_phase2() allocates resource for dev with brcmf_alloc().
The related resource should be released when the function gets some error.
But when brcmf_attach() fails, relevant resource is not released, which
will lead to resource leak.

Fix it by calling brcmf_free() when brcmf_attach() fails.

Signed-off-by: Jianglei Nie <[email protected]>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
index 85e18fb9c497..5d8c12b2c4d7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
@@ -1215,6 +1215,7 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret,
return;
error:
brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
+ brcmf_free(devinfo->dev);
complete(&devinfo->dev_init_done);
device_release_driver(dev);
}
--
2.25.1

2022-12-22 16:06:20

by Kalle Valo

[permalink] [raw]

Subject: Re: [PATCH] net: brcmfmac: fix potential resource leak in brcmf_usb_probe_phase2()

Jianglei Nie <[email protected]> writes:

> brcmf_usb_probe_phase2() allocates resource for dev with brcmf_alloc().
> The related resource should be released when the function gets some error.
> But when brcmf_attach() fails, relevant resource is not released, which
> will lead to resource leak.
>
> Fix it by calling brcmf_free() when brcmf_attach() fails.
>
> Signed-off-by: Jianglei Nie <[email protected]>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
> index 85e18fb9c497..5d8c12b2c4d7 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
> @@ -1215,6 +1215,7 @@ static void brcmf_usb_probe_phase2(struct device *dev, int ret,
> return;
> error:
> brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
> + brcmf_free(devinfo->dev);
> complete(&devinfo->dev_init_done);
> device_release_driver(dev);
> }

This doesn't look right. Now we would call brfmf_free() even before
brcmf_alloc() is called.

--
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches