| Message ID | 9153261627a0f84b996e023f1349a2bc06dd03ee.camel@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 3915a252ce71b836a830bcc537220389a3acf3a5 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [v3] libertas: Fix a double free in if_spi_c2h_data() | expand |
Dan Williams <dcbw@redhat.com> wrote: > The lbs_process_rxed_packet() frees the skb. It didn't originally, but > we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive > error"). > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Dan Williams <dcbw@redhat.com> Patch applied to wireless-drivers-next.git, thanks. 3915a252ce71 libertas: Fix a double free in if_spi_c2h_data()
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c index 27067e79e83fe..d07fe82c557e8 100644 --- a/drivers/net/wireless/marvell/libertas/if_spi.c +++ b/drivers/net/wireless/marvell/libertas/if_spi.c @@ -766,19 +766,15 @@ static int if_spi_c2h_data(struct if_spi_card *card) /* Read the data from the WLAN module into our skb... */ err = spu_read(card, IF_SPI_DATA_RDWRPORT_REG, data, ALIGN(len, 4)); - if (err) - goto free_skb; + if (err) { + dev_kfree_skb(skb); + goto out; + } /* pass the SKB to libertas */ err = lbs_process_rxed_packet(card->priv, skb); - if (err) - goto free_skb; + /* lbs_process_rxed_packet() consumes the skb */ - /* success */ - goto out; - -free_skb: - dev_kfree_skb(skb); out: if (err) netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
The lbs_process_rxed_packet() frees the skb. It didn't originally, but we fixed it in commit f54930f36311 ("libertas: don't leak skb on receive error"). Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Dan Williams <dcbw@redhat.com> --- Kalle: sorry about the build error; previous version of the patch before I fixed it. Here's the correct one. drivers/net/wireless/marvell/libertas/if_spi.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-)