Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
openwrt_lede
/
package
/
kernel
/
mac80211
/
patches
/
323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch

323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch 1.9 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 
  1. From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
    2. 

  2. From: "Peter S. Housel" <housel@acm.org>
    3. 

  3. Date: Mon, 12 Jun 2017 11:46:22 +0100
    4. 

  4. Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
    5. 

  5. 

  6. An earlier change to this function (3bdae810721b) fixed a leak in the
    7. 

  7. case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
    8. 

  8. glom_skb buffer, used for emulating a scattering read, is never used
    9. 

  9. or referenced after its contents are copied into the destination
    10. 

  10. buffers, and therefore always needs to be freed by the end of the
    11. 

  11. function.
    12. 

  12. 

  13. Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
    14. 

  14. Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
    15. 

  15. Cc: stable@vger.kernel.org # 4.9.x-
    16. 

  16. Signed-off-by: Peter S. Housel <housel@acm.org>
    17. 

  17. Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    18. 

  18. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    19. 

  19. ---
    20. 

  20.  drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
    21. 

  21.  1 file changed, 3 insertions(+), 4 deletions(-)
    22. 

  22. 

  23. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
    24. 

  24. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
    25. 

  25. @@ -705,7 +705,7 @@ done:
    26. 

  26.  int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
    27. 

  27.  			   struct sk_buff_head *pktq, uint totlen)
    28. 

  28.  {
    29. 

  29. -	struct sk_buff *glom_skb;
    30. 

  30. +	struct sk_buff *glom_skb = NULL;
    31. 

  31.  	struct sk_buff *skb;
    32. 

  32.  	u32 addr = sdiodev->sbwad;
    33. 

  33.  	int err = 0;
    34. 

  34. @@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
    35. 

  35.  			return -ENOMEM;
    36. 

  36.  		err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
    37. 

  37.  					 glom_skb);
    38. 

  38. -		if (err) {
    39. 

  39. -			brcmu_pkt_buf_free_skb(glom_skb);
    40. 

  40. +		if (err)
    41. 

  41.  			goto done;
    42. 

  42. -		}
    43. 

  43.  
    44. 

  44.  		skb_queue_walk(pktq, skb) {
    45. 

  45.  			memcpy(skb->data, glom_skb->data, skb->len);
    46. 

  46. @@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
    47. 

  47.  					    pktq);
    48. 

  48.  
    49. 

  49.  done:
    50. 

  50. +	brcmu_pkt_buf_free_skb(glom_skb);
    51. 

  51.  	return err;
    52. 

  52.  }
    53. 

  53.  
    54.