| Message ID | 1396038375-18122-1-git-send-email-khoroshilov@ispras.ru (mailing list archive) |
|---|---|
| State | Not Applicable, archived |
| Headers | show |
On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: > If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) > while usb_get_dev(udev) is not called yet. As a result refcnt is decremented > incorrectly and usb_dev can be used after memory deallocation. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> > --- Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Thanks, Larry > drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c > index fd78df813a85..d7f540a9dc9b 100644 > --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c > +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c > @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, > > err_free_dmabuf: > kfree(priv->io_dmabuf); > - err_free_dev: > - ieee80211_free_hw(dev); > usb_set_intfdata(intf, NULL); > usb_put_dev(udev); > + err_free_dev: > + ieee80211_free_hw(dev); > return err; > } > > -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv->io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; }
If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> --- drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)