[PATCH] ath5k: Fix double free on hw attach error path

[PATCH] ath5k: Fix double free on hw attach error path

[Jones Desougi]

If ath5k_hw_attach fails it will free sc->ah (local variable ah) before
returning. However, when it reports failure the caller (ath5k_pci_probe)
will also free sc->ah. Let the caller handle the deallocation, it does
so on further errors as well.

Signed-off-by: Jones Desougi <jones.desougi@27m.se>
---
The patch is generated from a week-old compat-wireless, but applies
cleanly with -p1 to wireless-testing today.

diff -r -u -p
compat-wireless-2010-10-19.orig/drivers/net/wireless/ath/ath5k/attach.c
compat-wireless-2010-10-19/drivers/net/wireless/ath/ath5k/attach.c
---
compat-wireless-2010-10-19.orig/drivers/net/wireless/ath/ath5k/attach.c
2010-10-19 23:41:54.000000000 +0200
+++ compat-wireless-2010-10-19/drivers/net/wireless/ath/ath5k/attach.c
2010-10-22 14:28:29.000000000 +0200
@@ -139,12 +139,12 @@ int ath5k_hw_attach(struct ath5k_softc *
 	/* Fill the ath5k_hw struct with the needed functions */
 	ret = ath5k_hw_init_desc_functions(ah);
 	if (ret)
-		goto err_free;
+		goto err;

 	/* Bring device out of sleep and reset its units */
 	ret = ath5k_hw_nic_wakeup(ah, 0, true);
 	if (ret)
-		goto err_free;
+		goto err;

 	/* Get MAC, PHY and RADIO revisions */
 	ah->ah_mac_srev = srev;
@@ -234,7 +234,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 		} else {
 			ATH5K_ERR(sc, "Couldn't identify radio revision.\n");
 			ret = -ENODEV;
-			goto err_free;
+			goto err;
 		}
 	}

@@ -244,7 +244,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 	(srev < AR5K_SREV_AR2425)) {
 		ATH5K_ERR(sc, "Device not yet supported.\n");
 		ret = -ENODEV;
-		goto err_free;
+		goto err;
 	}

 	/*
@@ -252,7 +252,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 	 */
 	ret = ath5k_hw_post(ah);
 	if (ret)
-		goto err_free;
+		goto err;

 	/* Enable pci core retry fix on Hainan (5213A) and later chips */
 	if (srev >= AR5K_SREV_AR5213A)
@@ -265,7 +265,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 	ret = ath5k_eeprom_init(ah);
 	if (ret) {
 		ATH5K_ERR(sc, "unable to init EEPROM\n");
-		goto err_free;
+		goto err;
 	}

 	ee = &ah->ah_capabilities.cap_eeprom;
@@ -307,7 +307,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 	if (ret) {
 		ATH5K_ERR(sc, "unable to get device capabilities: 0x%04x\n",
 			sc->pdev->device);
-		goto err_free;
+		goto err;
 	}

 	/* Crypto settings */
@@ -341,8 +341,7 @@ int ath5k_hw_attach(struct ath5k_softc *
 	ath5k_hw_set_ledstate(ah, AR5K_LED_INIT);

 	return 0;
-err_free:
-	kfree(ah);
+err:
 	return ret;
 }

Re: [PATCH] ath5k: Fix double free on hw attach error path

[Bob Copeland]

On Wed, Oct 27, 2010 at 1:38 PM, Jones Desougi <jones.desougi@27m.se> wrote:
> If ath5k_hw_attach fails it will free sc->ah (local variable ah) before
> returning. However, when it reports failure the caller (ath5k_pci_probe)
> will also free sc->ah. Let the caller handle the deallocation, it does
> so on further errors as well.
>
> Signed-off-by: Jones Desougi <jones.desougi@27m.se>

Reviewed-by: Bob Copeland <me@bobcopeland.com>

Thanks, yes, looks like that was due to commit 9adca126d,
"ath5k: allocate ath5k_hw prior to initializing hw".

This should probably go to stable.

-- 
Bob Copeland %% www.bobcopeland.com