* [PATCH][-next] rtlwifi: kfree entry until after entry->bssid has been accessed
@ 2017-06-30 10:08 ` Colin King
0 siblings, 0 replies; 4+ messages in thread
From: Colin King @ 2017-06-30 10:08 UTC (permalink / raw)
To: Larry Finger, Chaoming Li, Kalle Valo, linux-wireless, netdev
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The current code kfree's entry and then dereferences it by accessing
entry->bssid. Avoid the dereference-after-free by moving the kfree
after the access to entry->bssid.
Detected by CoverityScan, CID#1448600 ("Read from pointer after free")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index e36ee592c660..208f56297a75 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1735,12 +1735,12 @@ void rtl_scan_list_expire(struct ieee80211_hw *hw)
continue;
list_del(&entry->list);
- kfree(entry);
rtlpriv->scan_list.num--;
RT_TRACE(rtlpriv, COMP_SCAN, DBG_LOUD,
"BSSID=%pM is expire in scan list (total=%d)\n",
entry->bssid, rtlpriv->scan_list.num);
+ kfree(entry);
}
spin_unlock_irqrestore(&rtlpriv->locks.scan_list_lock, flags);
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH][-next] rtlwifi: kfree entry until after entry->bssid has been accessed
@ 2017-06-30 10:08 ` Colin King
0 siblings, 0 replies; 4+ messages in thread
From: Colin King @ 2017-06-30 10:08 UTC (permalink / raw)
To: Larry Finger, Chaoming Li, Kalle Valo, linux-wireless, netdev
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The current code kfree's entry and then dereferences it by accessing
entry->bssid. Avoid the dereference-after-free by moving the kfree
after the access to entry->bssid.
Detected by CoverityScan, CID#1448600 ("Read from pointer after free")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index e36ee592c660..208f56297a75 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1735,12 +1735,12 @@ void rtl_scan_list_expire(struct ieee80211_hw *hw)
continue;
list_del(&entry->list);
- kfree(entry);
rtlpriv->scan_list.num--;
RT_TRACE(rtlpriv, COMP_SCAN, DBG_LOUD,
"BSSID=%pM is expire in scan list (total=%d)\n",
entry->bssid, rtlpriv->scan_list.num);
+ kfree(entry);
}
spin_unlock_irqrestore(&rtlpriv->locks.scan_list_lock, flags);
--
2.11.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [-next] rtlwifi: kfree entry until after entry->bssid has been accessed
2017-06-30 10:08 ` Colin King
@ 2017-07-27 10:58 ` Kalle Valo
-1 siblings, 0 replies; 4+ messages in thread
From: Kalle Valo @ 2017-07-27 10:58 UTC (permalink / raw)
To: Colin Ian King
Cc: Larry Finger, Chaoming Li, linux-wireless, netdev,
kernel-janitors, linux-kernel
Colin Ian King <colin.king@canonical.com> wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The current code kfree's entry and then dereferences it by accessing
> entry->bssid. Avoid the dereference-after-free by moving the kfree
> after the access to entry->bssid.
>
> Detected by CoverityScan, CID#1448600 ("Read from pointer after free")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
Patch applied to wireless-drivers-next.git, thanks.
d0116f6f7b30 rtlwifi: kfree entry until after entry->bssid has been accessed
--
https://patchwork.kernel.org/patch/9819083/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [-next] rtlwifi: kfree entry until after entry->bssid has been accessed
@ 2017-07-27 10:58 ` Kalle Valo
0 siblings, 0 replies; 4+ messages in thread
From: Kalle Valo @ 2017-07-27 10:58 UTC (permalink / raw)
To: Colin Ian King
Cc: Larry Finger, Chaoming Li, linux-wireless, netdev,
kernel-janitors, linux-kernel
Colin Ian King <colin.king@canonical.com> wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The current code kfree's entry and then dereferences it by accessing
> entry->bssid. Avoid the dereference-after-free by moving the kfree
> after the access to entry->bssid.
>
> Detected by CoverityScan, CID#1448600 ("Read from pointer after free")
>
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
Patch applied to wireless-drivers-next.git, thanks.
d0116f6f7b30 rtlwifi: kfree entry until after entry->bssid has been accessed
--
https://patchwork.kernel.org/patch/9819083/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-07-27 10:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-30 10:08 [PATCH][-next] rtlwifi: kfree entry until after entry->bssid has been accessed Colin King
2017-06-30 10:08 ` Colin King
2017-07-27 10:58 ` [-next] " Kalle Valo
2017-07-27 10:58 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.