kernel-janitors.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [bug report] wimax/i2400m: support extended data RX protocol (no need to reallocate skbs)
@ 2017-04-12  8:34 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2017-04-12  8:34 UTC (permalink / raw)
  To: kernel-janitors

Hello Inaky Perez-Gonzalez,

The patch fd5c565c0c04: "wimax/i2400m: support extended data RX
protocol (no need to reallocate skbs)" from Feb 28, 2009, leads to
the following static checker warning:

	drivers/net/wimax/i2400m/netdev.c:565 i2400m_net_erx()
	error: dereferencing freed memory 'skb'

drivers/net/wimax/i2400m/netdev.c
   533  void i2400m_net_erx(struct i2400m *i2400m, struct sk_buff *skb,
   534                      enum i2400m_cs cs)
   535  {
   536          struct net_device *net_dev = i2400m->wimax_dev.net_dev;
   537          struct device *dev = i2400m_dev(i2400m);
   538          int protocol;
   539  
   540          d_fnstart(2, dev, "(i2400m %p skb %p [%u] cs %d)\n",
   541                    i2400m, skb, skb->len, cs);
   542          switch(cs) {
   543          case I2400M_CS_IPV4_0:
   544          case I2400M_CS_IPV4:
   545                  protocol = ETH_P_IP;
   546                  i2400m_rx_fake_eth_header(i2400m->wimax_dev.net_dev,
   547                                            skb->data - ETH_HLEN,
   548                                            cpu_to_be16(ETH_P_IP));
   549                  skb_set_mac_header(skb, -ETH_HLEN);
   550                  skb->dev = i2400m->wimax_dev.net_dev;
   551                  skb->protocol = htons(ETH_P_IP);
   552                  net_dev->stats.rx_packets++;
   553                  net_dev->stats.rx_bytes += skb->len;
   554                  break;
   555          default:
   556                  dev_err(dev, "ERX: BUG? CS type %u unsupported\n", cs);
   557                  goto error;
                        ^^^^^^^^^^
Is this a leak?

   558  
   559          }
   560          d_printf(3, dev, "ERX: receiving %d bytes to the network stack\n",
   561                   skb->len);
   562          d_dump(4, dev, skb->data, skb->len);
   563          netif_rx_ni(skb);       /* see notes in function header */
                            ^^^
Does this free "skb"?

   564  error:
   565          d_fnend(2, dev, "(i2400m %p skb %p [%u] cs %d) = void\n",
   566                  i2400m, skb, skb->len, cs);
                                     ^^^^^^^^
This is probably a use after free right?

   567  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2017-04-12  8:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-12  8:34 [bug report] wimax/i2400m: support extended data RX protocol (no need to reallocate skbs) Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).