From b53575ecf939a4f752de87eabf1adbcfa4478a6c Mon Sep 17 00:00:00 2001 From: Christoph Fritz Date: Sun, 8 May 2011 22:50:09 +0200 Subject: [PATCH] mwifiex: fix null derefs, mem leaks and trivia This patch: - adds kfree() where necessary - prevents potential null dereferences - makes use of kfree_skb() - replaces -1 for failed kzallocs with -ENOMEM Signed-off-by: Christoph Fritz Reviewed-by: Kiran Divekar Tested-by: Amitkumar Karwar Acked-by: Bing Zhao Signed-off-by: John W. Linville --- drivers/net/wireless/mwifiex/11n_aggr.c | 6 ++++-- drivers/net/wireless/mwifiex/cfg80211.c | 5 ++++- drivers/net/wireless/mwifiex/cmdevt.c | 2 +- drivers/net/wireless/mwifiex/init.c | 4 ++-- drivers/net/wireless/mwifiex/main.c | 8 ++++---- drivers/net/wireless/mwifiex/scan.c | 8 ++++---- drivers/net/wireless/mwifiex/sdio.c | 5 +++-- drivers/net/wireless/mwifiex/sta_ioctl.c | 2 +- 8 files changed, 23 insertions(+), 17 deletions(-) diff --git a/drivers/net/wireless/mwifiex/11n_aggr.c b/drivers/net/wireless/mwifiex/11n_aggr.c index 12cf4246f96b..2b2cca5e6d0f 100644 --- a/drivers/net/wireless/mwifiex/11n_aggr.c +++ b/drivers/net/wireless/mwifiex/11n_aggr.c @@ -318,7 +318,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, else skb_src = NULL; - pra_list->total_pkts_size -= skb_src->len; + if (skb_src) + pra_list->total_pkts_size -= skb_src->len; spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, ra_list_flags); @@ -373,7 +374,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, (adapter->pps_uapsd_mode) && (adapter->tx_lock_flag)) { priv->adapter->tx_lock_flag = false; - ptx_pd->flags = 0; + if (ptx_pd) + ptx_pd->flags = 0; } skb_queue_tail(&pra_list->skb_head, skb_aggr); diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c index 0c0116374d7d..19be8870c683 100644 --- a/drivers/net/wireless/mwifiex/cfg80211.c +++ b/drivers/net/wireless/mwifiex/cfg80211.c @@ -1255,8 +1255,10 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, wdev->wiphy = wiphy_new(&mwifiex_cfg80211_ops, sizeof(struct mwifiex_private *)); - if (!wdev->wiphy) + if (!wdev->wiphy) { + kfree(wdev); return -ENOMEM; + } wdev->iftype = NL80211_IFTYPE_STATION; wdev->wiphy->max_scan_ssids = 10; wdev->wiphy->interface_modes = @@ -1296,6 +1298,7 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n", __func__); wiphy_free(wdev->wiphy); + kfree(wdev); return ret; } else { dev_dbg(priv->adapter->dev, diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c index b75cc9271a19..1c8b4f7cba47 100644 --- a/drivers/net/wireless/mwifiex/cmdevt.c +++ b/drivers/net/wireless/mwifiex/cmdevt.c @@ -292,7 +292,7 @@ int mwifiex_alloc_cmd_buffer(struct mwifiex_adapter *adapter) if (!cmd_array) { dev_err(adapter->dev, "%s: failed to alloc cmd_array\n", __func__); - return -1; + return -ENOMEM; } adapter->cmd_pool = cmd_array; diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c index 27ad72b291b7..6a8fd9989a23 100644 --- a/drivers/net/wireless/mwifiex/init.c +++ b/drivers/net/wireless/mwifiex/init.c @@ -41,7 +41,7 @@ static int mwifiex_add_bss_prio_tbl(struct mwifiex_private *priv) if (!bss_prio) { dev_err(adapter->dev, "%s: failed to alloc bss_prio\n", __func__); - return -1; + return -ENOMEM; } bss_prio->priv = priv; @@ -161,7 +161,7 @@ static int mwifiex_allocate_adapter(struct mwifiex_adapter *adapter) if (!temp_scan_table) { dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n", __func__); - return -1; + return -ENOMEM; } adapter->scan_table = temp_scan_table; diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c index 38f912b8fcec..44957cac61e1 100644 --- a/drivers/net/wireless/mwifiex/main.c +++ b/drivers/net/wireless/mwifiex/main.c @@ -69,7 +69,7 @@ static int mwifiex_register(void *card, struct mwifiex_if_ops *if_ops, adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL); if (!adapter) - return -1; + return -ENOMEM; g_adapter = adapter; adapter->card = card; @@ -516,13 +516,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) jiffies, priv->bss_index); if (priv->adapter->surprise_removed) { - kfree(skb); + kfree_skb(skb); priv->stats.tx_dropped++; return 0; } if (!skb->len || (skb->len > ETH_FRAME_LEN)) { dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len); - kfree(skb); + kfree_skb(skb); priv->stats.tx_dropped++; return 0; } @@ -535,7 +535,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN); if (unlikely(!new_skb)) { dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n"); - kfree(skb); + kfree_skb(skb); priv->stats.tx_dropped++; return 0; } diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c index 4968974f3427..5c22860fb40a 100644 --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c @@ -2283,7 +2283,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, GFP_KERNEL); if (!scan_cfg_out) { dev_err(adapter->dev, "failed to alloc scan_cfg_out\n"); - return -1; + return -ENOMEM; } buf_size = sizeof(struct mwifiex_chan_scan_param_set) * @@ -2292,7 +2292,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, if (!scan_chan_list) { dev_err(adapter->dev, "failed to alloc scan_chan_list\n"); kfree(scan_cfg_out); - return -1; + return -ENOMEM; } keep_previous_scan = false; @@ -2491,7 +2491,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, GFP_KERNEL); if (!bss_new_entry) { dev_err(adapter->dev, " failed to alloc bss_new_entry\n"); - return -1; + return -ENOMEM; } for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) { @@ -2881,7 +2881,7 @@ static int mwifiex_scan_specific_ssid(struct mwifiex_private *priv, scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL); if (!scan_cfg) { dev_err(adapter->dev, "failed to alloc scan_cfg\n"); - return -1; + return -ENOMEM; } memcpy(scan_cfg->ssid_list[0].ssid, req_ssid->ssid, diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c index 470dbaaeaa02..d425dbd91d19 100644 --- a/drivers/net/wireless/mwifiex/sdio.c +++ b/drivers/net/wireless/mwifiex/sdio.c @@ -68,6 +68,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id) if (ret) { pr_err("%s: failed to enable function\n", __func__); + kfree(card); return -EIO; } @@ -676,7 +677,7 @@ static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter, if (!fwbuf) { dev_err(adapter->dev, "unable to alloc buffer for firmware." " Terminating download\n"); - return -1; + return -ENOMEM; } /* Perform firmware data transfer */ @@ -1605,7 +1606,7 @@ static int mwifiex_init_sdio(struct mwifiex_adapter *adapter) card->mp_regs = kzalloc(MAX_MP_REGS, GFP_KERNEL); if (!card->mp_regs) { dev_err(adapter->dev, "failed to alloc mp_regs\n"); - return -1; + return -ENOMEM; } ret = mwifiex_alloc_sdio_mpa_buffers(adapter, diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 4585c1bb9fa9..75bca56449cb 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -895,7 +895,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, if (!buf) { dev_err(priv->adapter->dev, "%s: failed to alloc cmd buffer\n", __func__); - return -1; + return -ENOMEM; } txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; -- 2.34.1