From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Dan Carpenter <dan.carpenter@oracle.com>,
Franky Lin <franky.lin@broadcom.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.4 003/100] brcmfmac: Fix use after free in brcmf_sdio_readframes()
Date: Fri, 14 Feb 2020 11:22:47 -0500 [thread overview]
Message-ID: <20200214162425.21071-3-sashal@kernel.org> (raw)
In-Reply-To: <20200214162425.21071-1-sashal@kernel.org>
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 216b44000ada87a63891a8214c347e05a4aea8fe ]
The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
error: dereferencing freed memory 'pkt'
It looks like there was supposed to be a continue after we free "pkt".
Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
index 9954e641c943d..8bb028f740fd8 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
@@ -2027,6 +2027,7 @@ static uint brcmf_sdio_readframes(struct brcmf_sdio *bus, uint maxframes)
BRCMF_SDIO_FT_NORMAL)) {
rd->len = 0;
brcmu_pkt_buf_free_skb(pkt);
+ continue;
}
bus->sdcnt.rx_readahead_cnt++;
if (rd->len != roundup(rd_new.len, 16)) {
--
2.20.1
next prev parent reply other threads:[~2020-02-14 16:36 UTC|newest]
Thread overview: 155+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-14 16:22 [PATCH AUTOSEL 4.4 001/100] drm/gma500: Fixup fbdev stolen size usage evaluation Sasha Levin
2020-02-14 16:22 ` Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 002/100] nfsd4: avoid NULL deference on strange COPY compounds Sasha Levin
2020-02-14 16:22 ` Sasha Levin [this message]
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 004/100] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 005/100] pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 006/100] media: i2c: mt9v032: fix enum mbus codes and frame sizes Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 007/100] media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 008/100] efi/x86: Map the entire EFI vendor string before copying it Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 009/100] MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 010/100] uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 011/100] usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 012/100] nfs: NFS_SWAP should depend on SWAP Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 013/100] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 014/100] scsi: ufs: Fix ufshcd_probe_hba() reture value in case ufshcd_scsi_add_wlus() fails Sasha Levin
2020-02-14 16:22 ` Sasha Levin
2020-02-14 16:22 ` Sasha Levin
2020-02-14 16:22 ` [PATCH AUTOSEL 4.4 015/100] tracing: Fix very unlikely race of registering two stat tracers Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 016/100] ext4, jbd2: ensure panic when aborting with zero errno Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 017/100] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 018/100] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 019/100] kconfig: fix broken dependency in randconfig-generated .config Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 020/100] clk: qcom: rcg2: Don't crash if our parent can't be found; return an error Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 021/100] drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 022/100] drm/amdgpu: remove set but not used variable 'dig_connector' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 023/100] drm/amdgpu: remove set but not used variable 'dig' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 024/100] drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 025/100] drm/amdgpu: remove set but not used variable 'mc_shared_chmap' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 026/100] drm/amdgpu: remove set but not used variable 'amdgpu_connector' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 027/100] drm/gma500: remove set but not used variable 'htotal' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 028/100] drm/gma500: remove set but not used variable 'error' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 029/100] drm/gma500: remove set but not used variable 'is_hdmi', 'is_crt' Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 029/100] drm/gma500: remove set but not used variable 'is_hdmi','is_crt' Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 030/100] drm/gma500: remove set but not used variable 'channel_eq' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 031/100] drm/radeon: remove set but not used variable 'size', 'relocs_chunk' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 032/100] drm/radeon: remove set but not used variable 'dig_connector' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 033/100] drm/radeon: remove set but not used variable 'radeon_connector' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 034/100] drm/radeon: remove set but not used variable 'blocks' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 035/100] drm/radeon: remove set but not used variable 'tv_pll_cntl1' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 036/100] regulator: rk808: Lower log level on optional GPIOs being not available Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 037/100] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 038/100] tty: omap-serial: remove set but unused variable Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 039/100] padata: always acquire cpu_hotplug_lock before pinst->lock Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 040/100] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 041/100] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 16:23 ` [alsa-devel] [PATCH AUTOSEL 4.4 042/100] ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 043/100] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 044/100] ipw2x00: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 045/100] iwlegacy: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 046/100] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 047/100] bcma: remove set but not used variable 'sizel' Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 048/100] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 049/100] ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 050/100] scsi: aic7xxx: Adjust indentation in ahc_find_syncrate Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 051/100] ARM: dts: r8a7779: Add device node for ARM global timer Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 052/100] rtc: hym8563: Return -EINVAL if the time is known to be invalid Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 053/100] x86/vdso: Provide missing include file Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 054/100] pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 055/100] pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [alsa-devel] [PATCH AUTOSEL 4.4 056/100] ALSA: sh: Fix compile warning wrt const Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 057/100] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 058/100] drm/gma500: remove set but not used variables 'hist_reg' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 059/100] usbip: Fix unsafe unaligned pointer usage Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 060/100] soc/tegra: fuse: Correct straps' address for older Tegra124 device trees Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 061/100] ARM: dts: at91: sama5d3: fix maximum peripheral clock rates Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 062/100] ARM: dts: at91: sama5d3: define clock rate range for tcb1 Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 063/100] rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 064/100] Input: edt-ft5x06 - work around first register access error Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 065/100] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 16:23 ` [alsa-devel] [PATCH AUTOSEL 4.4 066/100] ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 067/100] PCI: Don't disable bridge BARs when assigning bus resources Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 068/100] driver core: Print device when resources present in really_probe() Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 069/100] ARC: [plat-axs10x]: Add missing multicast filter number to GMAC node Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 071/100] drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 072/100] iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 073/100] scsi: iscsi: Don't destroy session if there are outstanding connections Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 074/100] ide: remove set but not used variable 'hwif' Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 075/100] cmd64x: potential buffer overflow in cmd64x_program_timings() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 076/100] ide: serverworks: potential overflow in svwks_set_pio_mode() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 077/100] remoteproc: Initialize rproc_class before use Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 078/100] s390/ftrace: generate traced function stack frame Sasha Levin
2020-02-14 16:24 ` [alsa-devel] [PATCH AUTOSEL 4.4 079/100] ALSA: hda - Add docking station support for Lenovo Thinkpad T420s Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 080/100] char: hpet: Use flexible-array member Sasha Levin
2020-02-14 17:43 ` Eric Biggers
2020-02-14 23:36 ` Sasha Levin
2020-02-14 23:47 ` Eric Biggers
2020-02-15 0:03 ` Greg Kroah-Hartman
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 081/100] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 082/100] ARM: 8951/1: Fix Kexec compilation issue Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 083/100] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 084/100] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 085/100] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 086/100] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 087/100] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 088/100] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 089/100] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Sasha Levin
[not found] ` <20200214162425.21071-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2020-02-14 16:23 ` [PATCH AUTOSEL 4.4 070/100] drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:23 ` Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 090/100] drm/nouveau/disp/nv50-: prevent oops when no channel method map provided Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 091/100] docs: i2c: writing-clients: properly name the stop condition Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 092/100] trigger_next should increase position index Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 093/100] radeon: insert 10ms sleep in dce5_crtc_load_lut Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` [Ocfs2-devel] [PATCH AUTOSEL 4.4 094/100] ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() Sasha Levin
2020-02-14 16:24 ` Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 095/100] lib/scatterlist.c: adjust indentation in __sg_alloc_table Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 096/100] reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 097/100] bcache: explicity type cast in bset_bkey_last() Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 098/100] irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 099/100] microblaze: Prevent the overflow of the start Sasha Levin
2020-02-14 16:24 ` [PATCH AUTOSEL 4.4 100/100] brd: check and limit max_part par Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214162425.21071-3-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=franky.lin@broadcom.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.