iwlwifi: fix freeing uninitialized pointer

If on iwl_dump_nic_event_log() error occurs before that function initialize buf, we process uninitiated pointer in iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409" Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=951241 Cc: stable@vger.kernel.org Reported-by: ian.odette@eprize.com Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
author: Stanislaw Gruszka <sgruszka@redhat.com> 2013-04-16 09:38:29 -0400
committer: Johannes Berg <johannes.berg@intel.com> 2013-04-18 07:28:53 -0400
commit: 3309ccf7fcebceef540ebe90c65d2f94d745a45b (patch)
tree: f0dc6db1b70253ad666a923e5783ef5e3e860ac4 /drivers/net/wireless
parent: 0aed849f61c1235041f98e4178d0a60aaa1dc548 (diff)
1 files changed, 8 insertions, 8 deletions
diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
index 7b8178be119f..cb6dd5813fbc 100644
--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file,
                                         size_t count, loff_t *ppos)
 {
        struct iwl_priv *priv = file->private_data;
-        char *buf;
+        char *buf = NULL;
-        int pos = 0;
+        ssize_t ret;
-        ssize_t ret = -ENOMEM;
-        ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true);
+        ret = iwl_dump_nic_event_log(priv, true, &buf, true);
-        if (buf) {
+        if (ret < 0)
-                ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
+                goto err;
-                kfree(buf);
+        ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
-        }
+err:
+        kfree(buf);
        return ret;
 }
author	Stanislaw Gruszka <sgruszka@redhat.com>	2013-04-16 09:38:29 -0400
committer	Johannes Berg <johannes.berg@intel.com>	2013-04-18 07:28:53 -0400
commit	3309ccf7fcebceef540ebe90c65d2f94d745a45b (patch)
tree	f0dc6db1b70253ad666a923e5783ef5e3e860ac4 /drivers/net/wireless
parent	0aed849f61c1235041f98e4178d0a60aaa1dc548 (diff)

diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c index 7b8178be119f..cb6dd5813fbc 100644 --- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c +++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file,
2237	size_t count, loff_t *ppos)	2237	size_t count, loff_t *ppos)
2238	{	2238	{
2239	struct iwl_priv *priv = file->private_data;	2239	struct iwl_priv *priv = file->private_data;
2240	char *buf;	2240	char *buf = NULL;
2241	int pos = 0;	2241	ssize_t ret;
2242	ssize_t ret = -ENOMEM;
2243		2242
2244	ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true);	2243	ret = iwl_dump_nic_event_log(priv, true, &buf, true);
2245	if (buf) {	2244	if (ret < 0)
2246	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);	2245	goto err;
2247	kfree(buf);	2246	ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
2248	}	2247	err:
		2248	kfree(buf);
2249	return ret;	2249	return ret;
2250	}	2250	}
2251		2251