From patchwork Mon Jun 29 10:17:54 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolas Iooss X-Patchwork-Id: 6687701 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 86121C05AC for ; Mon, 29 Jun 2015 10:25:00 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8535B20555 for ; Mon, 29 Jun 2015 10:24:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 796972054D for ; Mon, 29 Jun 2015 10:24:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750809AbbF2KYj (ORCPT ); Mon, 29 Jun 2015 06:24:39 -0400 Received: from mx1.polytechnique.org ([129.104.30.34]:44431 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751712AbbF2KYh (ORCPT ); Mon, 29 Jun 2015 06:24:37 -0400 X-Greylist: delayed 362 seconds by postgrey-1.27 at vger.kernel.org; Mon, 29 Jun 2015 06:24:37 EDT Received: from iosakhe.localdomain (unknown [103.252.202.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 824BF140912F0; Mon, 29 Jun 2015 12:18:28 +0200 (CEST) From: Nicolas Iooss To: Lauro Ramos Venancio , Aloisio Almeida Jr , Samuel Ortiz , Christophe Ricard Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Nicolas Iooss Subject: [PATCH] NFC: st21nfca, st-nci: fix use of uninitialized variables in error path Date: Mon, 29 Jun 2015 18:17:54 +0800 Message-Id: <1435573074-29503-1-git-send-email-nicolas.iooss_linux@m4x.org> X-Mailer: git-send-email 2.4.4 X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Mon Jun 29 12:18:30 2015 +0200 (CEST)) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.5 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP st21nfca_hci_load_session() calls kfree_skb() on unitialized variables skb_pipe_info and skb_pipe_list if the call to nfc_hci_connect_gate() failed. Reword the error path to not use these variables when they are not initialized. While at it, there seemed to be a memory leak because skb_pipe_info was only freed once, after the for-loop, even though several ones were created by nfc_hci_send_cmd. st_nci_hci_load_session() is similar to st21nfca_hci_load_session(), so rework this function too. Fixes: ec03ff1a8f9a ("NFC: st21nfca: Remove skb_pipe_list and skb_pipe_info useless allocation") Signed-off-by: Nicolas Iooss --- As I haven't got the hardware needed to perform tests, I only compile-tested this patch. Moreover I may then have missed something important for example in the way the memory is managed (I did not understand why skb_pipe_info was not freed in the for loop). drivers/nfc/st-nci/st-nci_se.c | 8 ++++---- drivers/nfc/st21nfca/st21nfca.c | 11 ++++++----- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/nfc/st-nci/st-nci_se.c b/drivers/nfc/st-nci/st-nci_se.c index 97addfa96c6f..c742ef65a05a 100644 --- a/drivers/nfc/st-nci/st-nci_se.c +++ b/drivers/nfc/st-nci/st-nci_se.c @@ -189,14 +189,14 @@ int st_nci_hci_load_session(struct nci_dev *ndev) ST_NCI_DEVICE_MGNT_GATE, ST_NCI_DEVICE_MGNT_PIPE); if (r < 0) - goto free_info; + return r; /* Get pipe list */ r = nci_hci_send_cmd(ndev, ST_NCI_DEVICE_MGNT_GATE, ST_NCI_DM_GETINFO, pipe_list, sizeof(pipe_list), &skb_pipe_list); if (r < 0) - goto free_info; + return r; /* Complete the existing gate_pipe table */ for (i = 0; i < skb_pipe_list->len; i++) { @@ -222,6 +222,7 @@ int st_nci_hci_load_session(struct nci_dev *ndev) dm_pipe_info->src_host_id != ST_NCI_ESE_HOST_ID) { pr_err("Unexpected apdu_reader pipe on host %x\n", dm_pipe_info->src_host_id); + kfree_skb(skb_pipe_info); continue; } @@ -241,13 +242,12 @@ int st_nci_hci_load_session(struct nci_dev *ndev) ndev->hci_dev->pipes[st_nci_gates[j].pipe].host = dm_pipe_info->src_host_id; } + kfree_skb(skb_pipe_info); } memcpy(ndev->hci_dev->init_data.gates, st_nci_gates, sizeof(st_nci_gates)); -free_info: - kfree_skb(skb_pipe_info); kfree_skb(skb_pipe_list); return r; } diff --git a/drivers/nfc/st21nfca/st21nfca.c b/drivers/nfc/st21nfca/st21nfca.c index d251f7229c4e..051286562fab 100644 --- a/drivers/nfc/st21nfca/st21nfca.c +++ b/drivers/nfc/st21nfca/st21nfca.c @@ -148,14 +148,14 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev *hdev) ST21NFCA_DEVICE_MGNT_GATE, ST21NFCA_DEVICE_MGNT_PIPE); if (r < 0) - goto free_info; + return r; /* Get pipe list */ r = nfc_hci_send_cmd(hdev, ST21NFCA_DEVICE_MGNT_GATE, ST21NFCA_DM_GETINFO, pipe_list, sizeof(pipe_list), &skb_pipe_list); if (r < 0) - goto free_info; + return r; /* Complete the existing gate_pipe table */ for (i = 0; i < skb_pipe_list->len; i++) { @@ -181,6 +181,7 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev *hdev) info->src_host_id != ST21NFCA_ESE_HOST_ID) { pr_err("Unexpected apdu_reader pipe on host %x\n", info->src_host_id); + kfree_skb(skb_pipe_info); continue; } @@ -200,6 +201,7 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev *hdev) hdev->pipes[st21nfca_gates[j].pipe].dest_host = info->src_host_id; } + kfree_skb(skb_pipe_info); } /* @@ -214,13 +216,12 @@ static int st21nfca_hci_load_session(struct nfc_hci_dev *hdev) st21nfca_gates[i].gate, st21nfca_gates[i].pipe); if (r < 0) - goto free_info; + goto free_list; } } memcpy(hdev->init_data.gates, st21nfca_gates, sizeof(st21nfca_gates)); -free_info: - kfree_skb(skb_pipe_info); +free_list: kfree_skb(skb_pipe_list); return r; }