git.librecmc.org Git - oweals/openwrt.git/blob

   1 From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001
   2 From: Dan Carpenter <dan.carpenter@oracle.com>
   3 Date: Tue, 3 Dec 2019 12:58:55 +0300
   4 Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes()
   5
   6 The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
   7 static checker warning:
   8
   9     drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
  10     error: dereferencing freed memory 'pkt'
  11
  12 It looks like there was supposed to be a continue after we free "pkt".
  13
  14 Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
  15 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
  16 Acked-by: Franky Lin <franky.lin@broadcom.com>
  17 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  18 ---
  19  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 +
  20  1 file changed, 1 insertion(+)
  21
  22 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
  23 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
  24 @@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct
  25                                                BRCMF_SDIO_FT_NORMAL)) {
  26                                 rd->len = 0;
  27                                 brcmu_pkt_buf_free_skb(pkt);
  28 +                               continue;
  29                         }
  30                         bus->sdcnt.rx_readahead_cnt++;
  31                         if (rd->len != roundup(rd_new.len, 16)) {