From patchwork Sat Jun 10 19:27:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arend van Spriel X-Patchwork-Id: 9779941 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 65525602DA for ; Sat, 10 Jun 2017 19:27:37 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 54CFA285E2 for ; Sat, 10 Jun 2017 19:27:37 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 498022866D; Sat, 10 Jun 2017 19:27:37 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C1476285E2 for ; Sat, 10 Jun 2017 19:27:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751651AbdFJT1R (ORCPT ); Sat, 10 Jun 2017 15:27:17 -0400 Received: from mail-wr0-f176.google.com ([209.85.128.176]:36293 "EHLO mail-wr0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751616AbdFJT1P (ORCPT ); Sat, 10 Jun 2017 15:27:15 -0400 Received: by mail-wr0-f176.google.com with SMTP id v111so60980310wrc.3 for ; Sat, 10 Jun 2017 12:27:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=/Ym5XU+IEFK0XCah1z/VgKhrysWzb4NZrwqizDlmDu8=; b=MfaBalh1Gguw9fLcBOrkyu6+sFgMp5b6drDQmYk8Qbjh5LyRu0Ce5B0CAY3DfDz1kI 0oQK8UqW5x27CYVsNvwqBTTGtNpFZNdtNDLSAsRJAwvRwRapBgK/T5sd8DS9KGoOoQMU JZVGDgoyWD6B/UYwCLdIt/xKcPiOsSw7chsGA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=/Ym5XU+IEFK0XCah1z/VgKhrysWzb4NZrwqizDlmDu8=; b=W4OsFlHNYtSXX5TnP77bGlFz595NiNtqLkzEKyPACk173rfPiqR8IJqt/0R4Egbul3 7+OAzNH888Mdzg0D+ctJZN1iEJmyGgGEx95CwUYOovdixveLgz9tlQAH4AddTTSYVWLo g0pTFIVhPXJXJqyyKsNEL0TytgkmE7/7spBJFAgdnApSZBNO/ZrkkYJtPwReLPPi7xdK F5Ngx6fo93G9kiqby2tVNtZM/ZdfJwk7ER55P0/rfIHZH1er3A5BaShMbUWeIB/YU2Lb jTBQZ/oMCkGMH2OneNXBoOyDNgIkEvxkJ8qBHWgb5noMh7UANyyQBbV5JjioSzvSL7iD cfNQ== X-Gm-Message-State: AODbwcBbf26RUFpTxAfgsibQZTZJ58SDqpaKHa9UgjfRshW62QLuPA/w ioG4wRCl70LUTCuu X-Received: by 10.80.162.165 with SMTP id 34mr37541766edm.151.1497122833704; Sat, 10 Jun 2017 12:27:13 -0700 (PDT) Received: from [192.168.178.39] (f140230.upc-f.chello.nl. [80.56.140.230]) by smtp.gmail.com with ESMTPSA id x9sm2769028edd.36.2017.06.10.12.27.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 10 Jun 2017 12:27:13 -0700 (PDT) Subject: Re: [PATCH v2] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain To: Andy Shevchenko , "Peter S. Housel" Cc: Franky Lin , Hante Meuleman , Kalle Valo , Pieter-Paul Giesberts , Christian Daudt , Florian Fainelli , Florian Westphal , Martin Blumenstingl , "open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER" , "open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER" , "open list:NETWORKING DRIVERS" , open list References: <1496442569-11307-1-git-send-email-housel@acm.org> From: Arend van Spriel Message-ID: <801f5209-f5a0-7414-f8f4-1500178a680b@broadcom.com> Date: Sat, 10 Jun 2017 21:27:11 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On 03-06-17 17:36, Andy Shevchenko wrote: > On Sat, Jun 3, 2017 at 1:29 AM, Peter S. Housel wrote: >> An earlier change to this function (3bdae810721b) fixed a leak in the >> case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the >> glom_skb buffer, used for emulating a scattering read, is never used >> or referenced after its contents are copied into the destination >> buffers, and therefore always needs to be freed by the end of the >> function. [snip] >> + skb_queue_walk(pktq, skb) { >> + memcpy(skb->data, glom_skb->data, skb->len); >> + skb_pull(glom_skb, skb->len); >> + } >> } > >> + brcmu_pkt_buf_free_skb(glom_skb); > > Can we just add this one line instead or I'm missing something? I guess. We don't want to walk the packet queue if glom_skb is not carrying data due to brcmf_sdiod_buffrw() failure. So I would go with the patch below as brcmu_pkt_buf_free_skb() simply ignores null pointer. Regards, Arend Reviewed-by: Andy Shevchenko --- int err = 0; @@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, return -ENOMEM; err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr, glom_skb); - if (err) { - brcmu_pkt_buf_free_skb(glom_skb); + if (err) goto done; - } skb_queue_walk(pktq, skb) { memcpy(skb->data, glom_skb->data, skb->len); @@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, pktq); done: + brcmu_pkt_buf_free_skb(glom_skb); return err; } diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c index 5bc2ba2..3722f23 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c @@ -705,7 +705,7 @@ int brcmf_sdiod_recv_pkt(struct brcmf_sdio_dev *sdiodev, struct sk_buff *pkt) int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev, struct sk_buff_head *pktq, uint totlen) { - struct sk_buff *glom_skb; + struct sk_buff *glom_skb = NULL; struct sk_buff *skb; u32 addr = sdiodev->sbwad;