diff options
Diffstat (limited to 'package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch')
| -rw-r--r-- | package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch b/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch new file mode 100644 index 0000000000..b1be6b1ec2 --- /dev/null +++ b/package/kernel/mac80211/patches/323-v4.13-0002-brcmfmac-Fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch @@ -0,0 +1,53 @@ +From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001 +From: "Peter S. Housel" <housel@acm.org> +Date: Mon, 12 Jun 2017 11:46:22 +0100 +Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain + +An earlier change to this function (3bdae810721b) fixed a leak in the +case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the +glom_skb buffer, used for emulating a scattering read, is never used +or referenced after its contents are copied into the destination +buffers, and therefore always needs to be freed by the end of the +function. + +Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain") +Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support") +Cc: stable@vger.kernel.org # 4.9.x- +Signed-off-by: Peter S. Housel <housel@acm.org> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +@@ -705,7 +705,7 @@ done: + int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, + struct sk_buff_head *pktq, uint totlen) + { +- struct sk_buff *glom_skb; ++ struct sk_buff *glom_skb = NULL; + struct sk_buff *skb; + u32 addr = sdiodev->sbwad; + int err = 0; +@@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + return -ENOMEM; + err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, + glom_skb); +- if (err) { +- brcmu_pkt_buf_free_skb(glom_skb); ++ if (err) + goto done; +- } + + skb_queue_walk(pktq, skb) { + memcpy(skb->data, glom_skb->data, skb->len); +@@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_ + pktq); + + done: ++ brcmu_pkt_buf_free_skb(glom_skb); + return err; + } + |