The lbs_process_rxed_packet() frees the skb. It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/marvell/libertas/if_spi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83f..e38f02d1f2e4 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -772,7 +772,7 @@ static int if_spi_c2h_data(struct if_spi_card *card)
/* pass the SKB to libertas */
err = lbs_process_rxed_packet(card->priv, skb);
if (err)
- goto free_skb;
+ goto out; /* lbs_process_rxed_packet() frees skb */
/* success */
goto out;
--
2.20.1
On Wed, 2019-06-26 at 13:09 +0300, Dan Carpenter wrote:
> The lbs_process_rxed_packet() frees the skb. It didn't originally,
> but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on
> receive
> error").
>
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> drivers/net/wireless/marvell/libertas/if_spi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c
> b/drivers/net/wireless/marvell/libertas/if_spi.c
> index 27067e79e83f..e38f02d1f2e4 100644
> --- a/drivers/net/wireless/marvell/libertas/if_spi.c
> +++ b/drivers/net/wireless/marvell/libertas/if_spi.c
> @@ -772,7 +772,7 @@ static int if_spi_c2h_data(struct if_spi_card
> *card)
> /* pass the SKB to libertas */
> err = lbs_process_rxed_packet(card->priv, skb);
> if (err)
> - goto free_skb;
> + goto out; /* lbs_process_rxed_packet() frees skb */
>
> /* success */
> goto out;
It can be further simplified (not compile tested yet):
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..072da89c4986f 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
/* Read the data from the WLAN module into our skb... */
err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
- if (err)
- goto free_skb;
+ if (err) {
+ dev_kfree_skb(skb);
+ goto out
+ }
/* pass the SKB to libertas */
err = lbs_process_rxed_packet(card->priv, skb);
- if (err)
- goto free_skb;
+ /* lbs_process_rxed_packet() consumes the skb */
- /* success */
- goto out;
-
-free_skb:
- dev_kfree_skb(skb);
out:
if (err)
netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
Yeah. That looks nicer. Could you send it as a proper patch and give
me Reported-by credit?
regards,
dan carpenter
On Wed, 2019-06-26 at 16:23 +0300, Dan Carpenter wrote:
> Yeah. That looks nicer. Could you send it as a proper patch and
> give
> me Reported-by credit?
Will do.
Dan
The lbs_process_rxed_packet() frees the skb. It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Dan Williams <[email protected]>
---
drivers/net/wireless/marvell/libertas/if_spi.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..072da89c4986f 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
/* Read the data from the WLAN module into our skb... */
err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
- if (err)
- goto free_skb;
+ if (err) {
+ dev_kfree_skb(skb);
+ goto out
+ }
/* pass the SKB to libertas */
err = lbs_process_rxed_packet(card->priv, skb);
- if (err)
- goto free_skb;
+ /* lbs_process_rxed_packet() consumes the skb */
- /* success */
- goto out;
-
-free_skb:
- dev_kfree_skb(skb);
out:
if (err)
netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
--
2.20.1
Dan Williams <[email protected]> wrote:
> The lbs_process_rxed_packet() frees the skb. It didn't originally, but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
> error").
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Dan Williams <[email protected]>
Failed to compile:
drivers/net/wireless/marvell/libertas/if_spi.c: In function 'if_spi_c2h_data':
drivers/net/wireless/marvell/libertas/if_spi.c:771:11: error: expected ';' before '}' token
goto out
^
;
}
~
make[5]: *** [drivers/net/wireless/marvell/libertas/if_spi.o] Error 1
make[4]: *** [drivers/net/wireless/marvell/libertas] Error 2
make[3]: *** [drivers/net/wireless/marvell] Error 2
make[3]: *** Waiting for unfinished jobs....
make[2]: *** [drivers/net/wireless] Error 2
make[1]: *** [drivers/net] Error 2
make[1]: *** Waiting for unfinished jobs....
make: *** [drivers] Error 2
Patch set to Changes Requested.
--
https://patchwork.kernel.org/patch/11033059/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
The lbs_process_rxed_packet() frees the skb. It didn't originally, but
we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
error").
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Dan Williams <[email protected]>
---
Kalle: sorry about the build error; previous version of the patch before I fixed it.
Here's the correct one.
drivers/net/wireless/marvell/libertas/if_spi.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index 27067e79e83fe..d07fe82c557e8 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card)
/* Read the data from the WLAN module into our skb... */
err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4));
- if (err)
- goto free_skb;
+ if (err) {
+ dev_kfree_skb(skb);
+ goto out;
+ }
/* pass the SKB to libertas */
err = lbs_process_rxed_packet(card->priv, skb);
- if (err)
- goto free_skb;
+ /* lbs_process_rxed_packet() consumes the skb */
- /* success */
- goto out;
-
-free_skb:
- dev_kfree_skb(skb);
out:
if (err)
netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
--
2.20.1
Dan Williams <[email protected]> wrote:
> The lbs_process_rxed_packet() frees the skb. It didn't originally, but
> we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive
> error").
>
> Reported-by: Dan Carpenter <[email protected]>
> Signed-off-by: Dan Williams <[email protected]>
Patch applied to wireless-drivers-next.git, thanks.
3915a252ce71 libertas: Fix a double free in if_spi_c2h_data()
--
https://patchwork.kernel.org/patch/11057049/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches