| From 9bb56f6bfa092bd0776e6b9687777da00e8a37e9 Mon Sep 17 00:00:00 2001 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Tue, 3 Dec 2019 12:58:55 +0300 |
| Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes() |
| |
| commit 216b44000ada87a63891a8214c347e05a4aea8fe upstream. |
| |
| The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a |
| static checker warning: |
| |
| drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() |
| error: dereferencing freed memory 'pkt' |
| |
| It looks like there was supposed to be a continue after we free "pkt". |
| |
| Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Acked-by: Franky Lin <franky.lin@broadcom.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |
| index 9a51f1ba87c3..d27ca0db1934 100644 |
| --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |
| +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |
| @@ -1946,6 +1946,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes) |
| BRCMF_SDIO_FT_NORMAL)) { |
| rd->len = 0; |
| brcmu_pkt_buf_free_skb(pkt); |
| + continue; |
| } |
| bus->sdcnt.rx_readahead_cnt++; |
| if (rd->len != roundup(rd_new.len, 16)) { |
| -- |
| 2.7.4 |
| |