From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-ob0-f170.google.com ([209.85.214.170]:51122 "EHLO mail-ob0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752092AbaC3Vbf (ORCPT ); Sun, 30 Mar 2014 17:31:35 -0400 Message-ID: <53388D35.8080902@lwfinger.net> (sfid-20140330_233319_982024_36E8C56C) Date: Sun, 30 Mar 2014 16:31:33 -0500 From: Larry Finger MIME-Version: 1.0 To: Alexey Khoroshilov , Herton Ronaldo Krzesinski , Hin-Tak Leung CC: "John W. Linville" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: Re: [PATCH] rtl8187: fix use after free on failure path in rtl8187_probe() References: <1396038375-18122-1-git-send-email-khoroshilov@ispras.ru> In-Reply-To: <1396038375-18122-1-git-send-email-khoroshilov@ispras.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: linux-wireless-owner@vger.kernel.org List-ID: On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: > If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) > while usb_get_dev(udev) is not called yet. As a result refcnt is decremented > incorrectly and usb_dev can be used after memory deallocation. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov > --- Acked-by: Larry Finger Thanks, Larry > drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c > index fd78df813a85..d7f540a9dc9b 100644 > --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c > +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c > @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, > > err_free_dmabuf: > kfree(priv->io_dmabuf); > - err_free_dev: > - ieee80211_free_hw(dev); > usb_set_intfdata(intf, NULL); > usb_put_dev(udev); > + err_free_dev: > + ieee80211_free_hw(dev); > return err; > } > >