Commit 3309ccf7 authored Apr 16, 2013 by Stanislaw Gruszka Committed by Johannes Berg Apr 18, 2013

iwlwifi: fix freeing uninitialized pointer

If on iwl_dump_nic_event_log() error occurs before that function
initialize buf, we process uninitiated pointer in
iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409"

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=951241



Cc: stable@vger.kernel.org
Reported-by:  <ian.odette@eprize.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 0aed849f

drivers/net/wireless/iwlwifi/dvm/debugfs.c

+8 −8

Original line number	Diff line number	Diff line
		@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file,
		size_t count, loff_t *ppos)
		{
		struct iwl_priv *priv = file->private_data;
		char *buf;
		int pos = 0;
		ssize_t ret = -ENOMEM;
		char *buf = NULL;
		ssize_t ret;

		ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true);
		if (buf) {
		ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
		ret = iwl_dump_nic_event_log(priv, true, &buf, true);
		if (ret < 0)
		goto err;
		ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
		err:
		kfree(buf);
		}
		return ret;
		}