| Message ID | 20200907162245.17997-1-keitasuzuki.park@sslab.ics.keio.ac.jp |
|---|---|
| State | New |
| Headers | show |
| Series | brcmsmac: fix potential memory leak in wlc_phy_attach_lcnphy | expand |
On 9/7/2020 6:22 PM, Keita Suzuki wrote: > When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, > the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be > freed in the caller function. > > Fix this by calling wlc_phy_detach_lcnphy in the error handler of > wlc_phy_txpwr_srom_read_lcnphy before returning. > > Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> > --- > .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c > index 7ef36234a25d..6d70f51b2ddf 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c > @@ -5065,8 +5065,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) > pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; > pi->pi_fptr.detach = wlc_phy_detach_lcnphy; > > - if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) > + if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { > + wlc_phy_detach_lcnphy(pi); Essentially the same but I prefer to simply do the kfree() call directly here as we also allocate in this function. Thanks, Arend
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c index 7ef36234a25d..6d70f51b2ddf 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c @@ -5065,8 +5065,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; pi->pi_fptr.detach = wlc_phy_detach_lcnphy; - if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) + if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { + wlc_phy_detach_lcnphy(pi); return false; + } if (LCNREV_IS(pi->pubpi.phy_rev, 1)) { if (pi_lcn->lcnphy_tempsense_option == 3) {
When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be freed in the caller function. Fix this by calling wlc_phy_detach_lcnphy in the error handler of wlc_phy_txpwr_srom_read_lcnphy before returning. Signed-off-by: Keita Suzuki <keitasuzuki.park@sslab.ics.keio.ac.jp> --- .../net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)