aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2019-12-03 12:58:55 +0300
committerBen Hutchings <ben@decadent.org.uk>2020-05-22 21:19:18 +0100
commitd61a43ddb50fa25aedfee0d8444a1d27b02ba459 (patch)
treee89e07ae7282e8a832482907a21e9b7fc2a63f62
parent1d693c856dc25bf60fb5ad196721563d70023fee (diff)
downloadlinux-stable-d61a43ddb50fa25aedfee0d8444a1d27b02ba459.tar.gz
brcmfmac: Fix use after free in brcmf_sdio_readframes()
commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream. The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a static checker warning: drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() error: dereferencing freed memory 'pkt' It looks like there was supposed to be a continue after we free "pkt". Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat
-rw-r--r--drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
index f93bdba6901c25..1d58a745c211a5 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c
@@ -1972,6 +1972,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes)
BRCMF_SDIO_FT_NORMAL)) {
rd->len = 0;
brcmu_pkt_buf_free_skb(pkt);
+ continue;
}
bus->sdcnt.rx_readahead_cnt++;
if (rd->len != roundup(rd_new.len, 16)) {
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-26 06:18:01 +0000