diff options
Diffstat (limited to 'package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch')
-rw-r--r-- | package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch b/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch new file mode 100644 index 0000000000..1b56f6d7ce --- /dev/null +++ b/package/kernel/mac80211/patches/brcm/411-v5.6-brcmfmac-Fix-use-after-free-in-brcmf_sdio_readframes.patch @@ -0,0 +1,31 @@ +From 216b44000ada87a63891a8214c347e05a4aea8fe Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <dan.carpenter@oracle.com> +Date: Tue, 3 Dec 2019 12:58:55 +0300 +Subject: [PATCH] brcmfmac: Fix use after free in brcmf_sdio_readframes() + +The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a +static checker warning: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes() + error: dereferencing freed memory 'pkt' + +It looks like there was supposed to be a continue after we free "pkt". + +Fixes: 4754fceeb9a6 ("brcmfmac: streamline SDIO read frame routine") +Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> +Acked-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -1935,6 +1935,7 @@ static uint brcmf_sdio_readframes(struct + BRCMF_SDIO_FT_NORMAL)) { + rd->len = 0; + brcmu_pkt_buf_free_skb(pkt); ++ continue; + } + bus->sdcnt.rx_readahead_cnt++; + if (rd->len != roundup(rd_new.len, 16)) { |