genlmsg_cancel subtracts some constants from its second argument before
calling nlmsg_cancel. nlmsg_cancel then calls nlmsg_trim on the same
arguments. nlmsg_trim tests for NULL before doing any computation, but a
NULL second argument to genlmsg_cancel is no longer NULL due to the initial
subtraction. Nothing else happens in this execution, so the call to
genlmsg_cancel is simply unnecessary in this case.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression data;
@@
if (data == NULL) { ...
* genlmsg_cancel(..., data);
...
return ...;
}
// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
---
net/wireless/nl80211.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 9b62710..864ddfb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2718,7 +2718,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
NL80211_CMD_GET_MESH_CONFIG);
if (!hdr)
- goto nla_put_failure;
+ goto out;
pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
if (!pinfoattr)
goto nla_put_failure;
@@ -2759,6 +2759,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
nla_put_failure:
genlmsg_cancel(msg, hdr);
+ out:
nlmsg_free(msg);
return -ENOBUFS;
}
@@ -2954,7 +2955,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
NL80211_CMD_GET_REG);
if (!hdr)
- goto nla_put_failure;
+ goto put_failure;
NLA_PUT_STRING(msg, NL80211_ATTR_REG_ALPHA2,
cfg80211_regdomain->alpha2);
@@ -3001,6 +3002,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
nla_put_failure:
genlmsg_cancel(msg, hdr);
+put_failure:
nlmsg_free(msg);
err = -EMSGSIZE;
out:
On Fri, 2011-01-28 at 15:16 +0100, Julia Lawall wrote:
> > But why did you call the label differently? :)
>
> Because out is already used in this case, and I didn't want to change all
> of the other occurrences of nla_put_failure. It's a bit sloppy though,
> because this code is the actual nla_put_failure. I can change it if you
> prefer.
Oh, and I could've seen that from the patch itself too, I just missed
it, sorry.
johannes
On Fri, 2011-01-28 at 15:17 +0100, Julia Lawall wrote:
> diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> index 9b62710..864ddfb 100644
> --- a/net/wireless/nl80211.c
> +++ b/net/wireless/nl80211.c
> @@ -2718,7 +2718,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
> hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
> NL80211_CMD_GET_MESH_CONFIG);
> if (!hdr)
> - goto nla_put_failure;
> + goto out;
> @@ -2954,7 +2955,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
> hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
> NL80211_CMD_GET_REG);
> if (!hdr)
> - goto nla_put_failure;
> + goto put_failure;
>
> NLA_PUT_STRING(msg, NL80211_ATTR_REG_ALPHA2,
> cfg80211_regdomain->alpha2);
Seems fine. Actually, since the message is freed anyhow, the call to
genlmsg_cancel is *completely* unnecessary, I just put it in to make it
nest better and not rely on it not having side effects.
But why did you call the label differently? :)
johannes
On Fri, 28 Jan 2011, Johannes Berg wrote:
> On Fri, 2011-01-28 at 15:17 +0100, Julia Lawall wrote:
>
> > diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
> > index 9b62710..864ddfb 100644
> > --- a/net/wireless/nl80211.c
> > +++ b/net/wireless/nl80211.c
> > @@ -2718,7 +2718,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
> > hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
> > NL80211_CMD_GET_MESH_CONFIG);
> > if (!hdr)
> > - goto nla_put_failure;
> > + goto out;
>
>
> > @@ -2954,7 +2955,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
> > hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
> > NL80211_CMD_GET_REG);
> > if (!hdr)
> > - goto nla_put_failure;
> > + goto put_failure;
> >
> > NLA_PUT_STRING(msg, NL80211_ATTR_REG_ALPHA2,
> > cfg80211_regdomain->alpha2);
>
> Seems fine. Actually, since the message is freed anyhow, the call to
> genlmsg_cancel is *completely* unnecessary, I just put it in to make it
> nest better and not rely on it not having side effects.
>
> But why did you call the label differently? :)
Because out is already used in this case, and I didn't want to change all
of the other occurrences of nla_put_failure. It's a bit sloppy though,
because this code is the actual nla_put_failure. I can change it if you
prefer.
julia