* [PATCH 1/2] net: wireless, fix lock imbalance
@ 2010-01-06 16:35 Jiri Slaby
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Jiri Slaby @ 2010-01-06 16:35 UTC (permalink / raw)
To: linville; +Cc: linux-wireless, linux-kernel
One fail path in cfg80211_wext_siwscan omits to unlock rdev->mtx.
Fix that.
Trigerrable by "Scan for SSID" with long enough SSID (> 32).
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/wireless/scan.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 12dfa62..9c50c85 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,
/* translate "Scan for SSID" request */
if (wreq) {
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
- if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
- return -EINVAL;
+ if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
+ err = -EINVAL;
+ goto out;
+ }
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
creq->ssids[0].ssid_len = wreq->essid_len;
}
--
1.6.5.7
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/2] NET: wireless, fix memory leak
2010-01-06 16:35 [PATCH 1/2] net: wireless, fix lock imbalance Jiri Slaby
@ 2010-01-06 16:35 ` Jiri Slaby
2010-01-06 17:43 ` Luis R. Rodriguez
2010-01-06 19:07 ` Gertjan van Wingerde
2010-01-06 17:44 ` [PATCH 1/2] net: wireless, fix lock imbalance Luis R. Rodriguez
2010-01-06 19:55 ` John W. Linville
2 siblings, 2 replies; 8+ messages in thread
From: Jiri Slaby @ 2010-01-06 16:35 UTC (permalink / raw)
To: linville; +Cc: linux-wireless, linux-kernel
Stanse found a memory leak in cfg80211_wext_siwscan. creq is not
freed/assigned on all paths. Fix that.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
net/wireless/scan.c | 7 +++++--
1 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 9c50c85..3003d13 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -685,7 +685,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
/* No channels found? */
if (!i) {
err = -EINVAL;
- goto out;
+ goto out_free;
}
/* Set real number of channels specified in creq->channels[] */
@@ -696,7 +696,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
err = -EINVAL;
- goto out;
+ goto out_free;
}
memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
creq->ssids[0].ssid_len = wreq->essid_len;
@@ -717,6 +717,9 @@ int cfg80211_wext_siwscan(struct net_device *dev,
out:
cfg80211_unlock_rdev(rdev);
return err;
+out_free:
+ kfree(creq);
+ goto out;
}
EXPORT_SYMBOL_GPL(cfg80211_wext_siwscan);
--
1.6.5.7
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] NET: wireless, fix memory leak
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
@ 2010-01-06 17:43 ` Luis R. Rodriguez
2010-01-06 19:07 ` Gertjan van Wingerde
1 sibling, 0 replies; 8+ messages in thread
From: Luis R. Rodriguez @ 2010-01-06 17:43 UTC (permalink / raw)
To: Jiri Slaby; +Cc: linville, linux-wireless, linux-kernel
On Wed, Jan 6, 2010 at 8:35 AM, Jiri Slaby <jslaby@suse.cz> wrote:
> Stanse found a memory leak in cfg80211_wext_siwscan. creq is not
> freed/assigned on all paths. Fix that.
CC stable?
Luis
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] net: wireless, fix lock imbalance
2010-01-06 16:35 [PATCH 1/2] net: wireless, fix lock imbalance Jiri Slaby
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
@ 2010-01-06 17:44 ` Luis R. Rodriguez
2010-01-06 19:55 ` John W. Linville
2 siblings, 0 replies; 8+ messages in thread
From: Luis R. Rodriguez @ 2010-01-06 17:44 UTC (permalink / raw)
To: Jiri Slaby; +Cc: linville, linux-wireless, linux-kernel
On Wed, Jan 6, 2010 at 8:35 AM, Jiri Slaby <jslaby@suse.cz> wrote:
> One fail path in cfg80211_wext_siwscan omits to unlock rdev->mtx.
> Fix that.
>
> Trigerrable by "Scan for SSID" with long enough SSID (> 32).
Cc stable as well?
Luis
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] NET: wireless, fix memory leak
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
2010-01-06 17:43 ` Luis R. Rodriguez
@ 2010-01-06 19:07 ` Gertjan van Wingerde
2010-01-06 19:14 ` Jiri Slaby
1 sibling, 1 reply; 8+ messages in thread
From: Gertjan van Wingerde @ 2010-01-06 19:07 UTC (permalink / raw)
To: Jiri Slaby; +Cc: linville, linux-wireless, linux-kernel
On 01/06/10 17:35, Jiri Slaby wrote:
> Stanse found a memory leak in cfg80211_wext_siwscan. creq is not
> freed/assigned on all paths. Fix that.
>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> ---
> net/wireless/scan.c | 7 +++++--
> 1 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 9c50c85..3003d13 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -685,7 +685,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
> /* No channels found? */
> if (!i) {
> err = -EINVAL;
> - goto out;
> + goto out_free;
> }
>
> /* Set real number of channels specified in creq->channels[] */
> @@ -696,7 +696,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
> if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
> if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
> err = -EINVAL;
> - goto out;
> + goto out_free;
> }
> memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
> creq->ssids[0].ssid_len = wreq->essid_len;
> @@ -717,6 +717,9 @@ int cfg80211_wext_siwscan(struct net_device *dev,
> out:
> cfg80211_unlock_rdev(rdev);
> return err;
> +out_free:
> + kfree(creq);
> + goto out;
> }
> EXPORT_SYMBOL_GPL(cfg80211_wext_siwscan);
>
This last part looks a bit strange. Why don't you put out_free label before out label,
and let it continue after the kfree, instead of jumping back to the out label.
---
Gertjan.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 2/2] NET: wireless, fix memory leak
2010-01-06 19:07 ` Gertjan van Wingerde
@ 2010-01-06 19:14 ` Jiri Slaby
0 siblings, 0 replies; 8+ messages in thread
From: Jiri Slaby @ 2010-01-06 19:14 UTC (permalink / raw)
To: Gertjan van Wingerde; +Cc: linville, linux-wireless, linux-kernel
On 01/06/2010 08:07 PM, Gertjan van Wingerde wrote:
> On 01/06/10 17:35, Jiri Slaby wrote:
>> @@ -717,6 +717,9 @@ int cfg80211_wext_siwscan(struct net_device *dev,
>> out:
>> cfg80211_unlock_rdev(rdev);
>> return err;
>> +out_free:
>> + kfree(creq);
>> + goto out;
>> }
>> EXPORT_SYMBOL_GPL(cfg80211_wext_siwscan);
>>
>
> This last part looks a bit strange. Why don't you put out_free label before out label,
Because `out' is a part of non-error flow, where the creq should not be
freed.
thanks,
--
js
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] net: wireless, fix lock imbalance
2010-01-06 16:35 [PATCH 1/2] net: wireless, fix lock imbalance Jiri Slaby
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
2010-01-06 17:44 ` [PATCH 1/2] net: wireless, fix lock imbalance Luis R. Rodriguez
@ 2010-01-06 19:55 ` John W. Linville
2010-01-06 20:30 ` Jiri Slaby
2 siblings, 1 reply; 8+ messages in thread
From: John W. Linville @ 2010-01-06 19:55 UTC (permalink / raw)
To: Jiri Slaby; +Cc: linux-wireless, linux-kernel
On Wed, Jan 06, 2010 at 05:35:42PM +0100, Jiri Slaby wrote:
> One fail path in cfg80211_wext_siwscan omits to unlock rdev->mtx.
> Fix that.
>
> Trigerrable by "Scan for SSID" with long enough SSID (> 32).
>
> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Both this and the next one are already fixed in wireless-2.6...
commit 65486c8b30498dd274eea2c542696f22b63fe5b8
Author: Johannes Berg <johannes@sipsolutions.net>
Date: Wed Dec 23 15:33:35 2009 +0100
cfg80211: fix error path in cfg80211_wext_siwscan
If there's an invalid channel or SSID, the code leaks
the scan request. Always free the scan request, unless
it was successfully given to the driver.
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH 1/2] net: wireless, fix lock imbalance
2010-01-06 19:55 ` John W. Linville
@ 2010-01-06 20:30 ` Jiri Slaby
0 siblings, 0 replies; 8+ messages in thread
From: Jiri Slaby @ 2010-01-06 20:30 UTC (permalink / raw)
To: John W. Linville; +Cc: linux-wireless, linux-kernel
On 01/06/2010 08:55 PM, John W. Linville wrote:
> On Wed, Jan 06, 2010 at 05:35:42PM +0100, Jiri Slaby wrote:
>> One fail path in cfg80211_wext_siwscan omits to unlock rdev->mtx.
>> Fix that.
>>
>> Trigerrable by "Scan for SSID" with long enough SSID (> 32).
>>
>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
>
> Both this and the next one are already fixed in wireless-2.6...
Ok, thanks.
--
js
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2010-01-06 20:30 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-06 16:35 [PATCH 1/2] net: wireless, fix lock imbalance Jiri Slaby
2010-01-06 16:35 ` [PATCH 2/2] NET: wireless, fix memory leak Jiri Slaby
2010-01-06 17:43 ` Luis R. Rodriguez
2010-01-06 19:07 ` Gertjan van Wingerde
2010-01-06 19:14 ` Jiri Slaby
2010-01-06 17:44 ` [PATCH 1/2] net: wireless, fix lock imbalance Luis R. Rodriguez
2010-01-06 19:55 ` John W. Linville
2010-01-06 20:30 ` Jiri Slaby
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).