Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b53575ec authored by Christoph Fritz's avatar Christoph Fritz Committed by John W. Linville
Browse files

mwifiex: fix null derefs, mem leaks and trivia 



This patch:
 - adds kfree() where necessary
 - prevents potential null dereferences
 - makes use of kfree_skb()
 - replaces -1 for failed kzallocs with -ENOMEM

Signed-off-by: default avatarChristoph Fritz <chf.fritz@googlemail.com>
Reviewed-by: default avatarKiran Divekar <dkiran@marvell.com>
Tested-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
Acked-by: default avatarBing Zhao <bzhao@marvell.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 3ed3f494

drivers/net/wireless/mwifiex/11n_aggr.c

+4 −2
Original line number Diff line number Diff line
@@ -318,6 +318,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, 
		else

			skb_src = NULL;



		if (skb_src)

			pra_list->total_pkts_size -= skb_src->len;



		spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
@@ -373,6 +374,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, 
			(adapter->pps_uapsd_mode) &&

			(adapter->tx_lock_flag)) {

				priv->adapter->tx_lock_flag = false;

				if (ptx_pd)

					ptx_pd->flags = 0;

		}

drivers/net/wireless/mwifiex/cfg80211.c

+4 −1
Original line number Diff line number Diff line
@@ -1255,8 +1255,10 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, 
	wdev->wiphy =

		wiphy_new(&mwifiex_cfg80211_ops,

			  sizeof(struct mwifiex_private *));

	if (!wdev->wiphy)

	if (!wdev->wiphy) {

		kfree(wdev);

		return -ENOMEM;

	}

	wdev->iftype = NL80211_IFTYPE_STATION;

	wdev->wiphy->max_scan_ssids = 10;

	wdev->wiphy->interface_modes =
@@ -1296,6 +1298,7 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, 
		dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n",

						__func__);

		wiphy_free(wdev->wiphy);

		kfree(wdev);

		return ret;

	} else {

		dev_dbg(priv->adapter->dev,

drivers/net/wireless/mwifiex/cmdevt.c

+1 −1
Original line number Diff line number Diff line
@@ -292,7 +292,7 @@ int mwifiex_alloc_cmd_buffer(struct mwifiex_adapter *adapter) 
	if (!cmd_array) {

		dev_err(adapter->dev, "%s: failed to alloc cmd_array\n",

				__func__);

		return -1;

		return -ENOMEM;

	}



	adapter->cmd_pool = cmd_array;

drivers/net/wireless/mwifiex/init.c

+2 −2
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ static int mwifiex_add_bss_prio_tbl(struct mwifiex_private *priv) 
	if (!bss_prio) {

		dev_err(adapter->dev, "%s: failed to alloc bss_prio\n",

						__func__);

		return -1;

		return -ENOMEM;

	}



	bss_prio->priv = priv;
@@ -161,7 +161,7 @@ static int mwifiex_allocate_adapter(struct mwifiex_adapter *adapter) 
	if (!temp_scan_table) {

		dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n",

		       __func__);

		return -1;

		return -ENOMEM;

	}



	adapter->scan_table = temp_scan_table;

drivers/net/wireless/mwifiex/main.c

+4 −4
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ static int mwifiex_register(void *card, struct mwifiex_if_ops *if_ops, 


	adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL);

	if (!adapter)

		return -1;

		return -ENOMEM;



	g_adapter = adapter;

	adapter->card = card;
@@ -516,13 +516,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) 
				jiffies, priv->bss_index);



	if (priv->adapter->surprise_removed) {

		kfree(skb);

		kfree_skb(skb);

		priv->stats.tx_dropped++;

		return 0;

	}

	if (!skb->len || (skb->len > ETH_FRAME_LEN)) {

		dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len);

		kfree(skb);

		kfree_skb(skb);

		priv->stats.tx_dropped++;

		return 0;

	}
@@ -535,7 +535,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) 
			skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN);

		if (unlikely(!new_skb)) {

			dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n");

			kfree(skb);

			kfree_skb(skb);

			priv->stats.tx_dropped++;

			return 0;

		}