diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2019-12-03 12:58:55 +0300 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2020-05-22 21:19:18 +0100 |
commit | d61a43ddb50fa25aedfee0d8444a1d27b02ba459 (patch) | |
tree | e89e07ae7282e8a832482907a21e9b7fc2a63f62 | |
parent | 1d693c856dc25bf60fb5ad196721563d70023fee (diff) | |
download | linux-stable-d61a43ddb50fa25aedfee0d8444a1d27b02ba459.tar.gz |
brcmfmac: Fix use after free in brcmf_sdio_readframes()
commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream.
The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
error: dereferencing freed memory 'pkt'
It looks like there was supposed to be a continue after we free "pkt".
Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-rw-r--r-- | drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c index f93bdba6901c25..1d58a745c211a5 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c @@ -1972,6 +1972,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) BRCMF_SDIO_FT_NORMAL)) { rd->len = 0; brcmu_pkt_buf_free_skb(pkt); + continue; } bus->sdcnt.rx_readahead_cnt++; if (rd->len != roundup(rd_new.len, 16)) { |