From patchwork Thu Aug 14 23:00:06 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexey Khoroshilov X-Patchwork-Id: 4725861 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 67556C0338 for ; Thu, 14 Aug 2014 23:00:46 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6995A2016C for ; Thu, 14 Aug 2014 23:00:44 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 537182013A for ; Thu, 14 Aug 2014 23:00:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932234AbaHNXAU (ORCPT ); Thu, 14 Aug 2014 19:00:20 -0400 Received: from mail.ispras.ru ([83.149.199.45]:33032 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932217AbaHNXAT (ORCPT ); Thu, 14 Aug 2014 19:00:19 -0400 Received: from localhost.localdomain (ppp85-141-243-51.pppoe.mtu-net.ru [85.141.243.51]) by mail.ispras.ru (Postfix) with ESMTPSA id A18E0540151; Fri, 15 Aug 2014 03:00:15 +0400 (MSK) From: Alexey Khoroshilov To: Andrea Merello , "John W. Linville" Cc: Alexey Khoroshilov , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH] at76c50x-usb: fix use after free on failure path in at76_probe() Date: Fri, 15 Aug 2014 03:00:06 +0400 Message-Id: <1408057206-8854-1-git-send-email-khoroshilov@ispras.ru> X-Mailer: git-send-email 1.9.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP After commit 174beab7d445 ("at76c50x-usb: Don't perform DMA from stack memory") at76_delete_device() and usb_put_dev() are called both if at76_init_new_device() fails in at76_probe(). But at76_delete_device() does usb_put_dev(priv->dev) itself that means double usb_put_dev(). The patch avoids the problem by moving usb_put_dev() from at76_delete_device() to at76_disconnect(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov --- drivers/net/wireless/at76c50x-usb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 334c2ece855a..da92bfa76b7c 100644 --- a/drivers/net/wireless/at76c50x-usb.c +++ b/drivers/net/wireless/at76c50x-usb.c @@ -2423,8 +2423,6 @@ static void at76_delete_device(struct at76_priv *priv) kfree_skb(priv->rx_skb); - usb_put_dev(priv->udev); - at76_dbg(DBG_PROC_ENTRY, "%s: before freeing priv/ieee80211_hw", __func__); ieee80211_free_hw(priv->hw); @@ -2558,6 +2556,7 @@ static void at76_disconnect(struct usb_interface *interface) wiphy_info(priv->hw->wiphy, "disconnecting\n"); at76_delete_device(priv); + usb_put_dev(priv->udev); dev_info(&interface->dev, "disconnected\n"); }