diff options
| author | Christoph Fritz <chf.fritz@googlemail.com> | 2011-05-08 16:50:09 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2011-05-10 15:54:50 -0400 |
| commit | b53575ecf939a4f752de87eabf1adbcfa4478a6c (patch) | |
| tree | 0e98918a3602d0abd1ff6bcc5dea9cef0763c99d /drivers | |
| parent | 3ed3f49473985718ce51f84d990ed5b8b6472598 (diff) | |
mwifiex: fix null derefs, mem leaks and trivia
This patch:
- adds kfree() where necessary
- prevents potential null dereferences
- makes use of kfree_skb()
- replaces -1 for failed kzallocs with -ENOMEM
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Reviewed-by: Kiran Divekar <dkiran@marvell.com>
Tested-by: Amitkumar Karwar <akarwar@marvell.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/mwifiex/11n_aggr.c | 6 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/cfg80211.c | 5 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/cmdevt.c | 2 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/init.c | 4 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/main.c | 8 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/scan.c | 8 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/sdio.c | 5 | ||||
| -rw-r--r-- | drivers/net/wireless/mwifiex/sta_ioctl.c | 2 |
8 files changed, 23 insertions, 17 deletions
diff --git a/drivers/net/wireless/mwifiex/11n_aggr.c b/drivers/net/wireless/mwifiex/11n_aggr.c index 12cf4246f96b..2b2cca5e6d0f 100644 --- a/drivers/net/wireless/mwifiex/11n_aggr.c +++ b/drivers/net/wireless/mwifiex/11n_aggr.c | |||
| @@ -318,7 +318,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, | |||
| 318 | else | 318 | else |
| 319 | skb_src = NULL; | 319 | skb_src = NULL; |
| 320 | 320 | ||
| 321 | pra_list->total_pkts_size -= skb_src->len; | 321 | if (skb_src) |
| 322 | pra_list->total_pkts_size -= skb_src->len; | ||
| 322 | 323 | ||
| 323 | spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, | 324 | spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, |
| 324 | ra_list_flags); | 325 | ra_list_flags); |
| @@ -373,7 +374,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, | |||
| 373 | (adapter->pps_uapsd_mode) && | 374 | (adapter->pps_uapsd_mode) && |
| 374 | (adapter->tx_lock_flag)) { | 375 | (adapter->tx_lock_flag)) { |
| 375 | priv->adapter->tx_lock_flag = false; | 376 | priv->adapter->tx_lock_flag = false; |
| 376 | ptx_pd->flags = 0; | 377 | if (ptx_pd) |
| 378 | ptx_pd->flags = 0; | ||
| 377 | } | 379 | } |
| 378 | 380 | ||
| 379 | skb_queue_tail(&pra_list->skb_head, skb_aggr); | 381 | skb_queue_tail(&pra_list->skb_head, skb_aggr); |
diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c index 0c0116374d7d..19be8870c683 100644 --- a/drivers/net/wireless/mwifiex/cfg80211.c +++ b/drivers/net/wireless/mwifiex/cfg80211.c | |||
| @@ -1255,8 +1255,10 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, | |||
| 1255 | wdev->wiphy = | 1255 | wdev->wiphy = |
| 1256 | wiphy_new(&mwifiex_cfg80211_ops, | 1256 | wiphy_new(&mwifiex_cfg80211_ops, |
| 1257 | sizeof(struct mwifiex_private *)); | 1257 | sizeof(struct mwifiex_private *)); |
| 1258 | if (!wdev->wiphy) | 1258 | if (!wdev->wiphy) { |
| 1259 | kfree(wdev); | ||
| 1259 | return -ENOMEM; | 1260 | return -ENOMEM; |
| 1261 | } | ||
| 1260 | wdev->iftype = NL80211_IFTYPE_STATION; | 1262 | wdev->iftype = NL80211_IFTYPE_STATION; |
| 1261 | wdev->wiphy->max_scan_ssids = 10; | 1263 | wdev->wiphy->max_scan_ssids = 10; |
| 1262 | wdev->wiphy->interface_modes = | 1264 | wdev->wiphy->interface_modes = |
| @@ -1296,6 +1298,7 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, | |||
| 1296 | dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n", | 1298 | dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n", |
| 1297 | __func__); | 1299 | __func__); |
| 1298 | wiphy_free(wdev->wiphy); | 1300 | wiphy_free(wdev->wiphy); |
| 1301 | kfree(wdev); | ||
| 1299 | return ret; | 1302 | return ret; |
| 1300 | } else { | 1303 | } else { |
| 1301 | dev_dbg(priv->adapter->dev, | 1304 | dev_dbg(priv->adapter->dev, |
diff --git a/drivers/net/wireless/mwifiex/cmdevt.c b/drivers/net/wireless/mwifiex/cmdevt.c index b75cc9271a19..1c8b4f7cba47 100644 --- a/drivers/net/wireless/mwifiex/cmdevt.c +++ b/drivers/net/wireless/mwifiex/cmdevt.c | |||
| @@ -292,7 +292,7 @@ int mwifiex_alloc_cmd_buffer(struct mwifiex_adapter *adapter) | |||
| 292 | if (!cmd_array) { | 292 | if (!cmd_array) { |
| 293 | dev_err(adapter->dev, "%s: failed to alloc cmd_array\n", | 293 | dev_err(adapter->dev, "%s: failed to alloc cmd_array\n", |
| 294 | __func__); | 294 | __func__); |
| 295 | return -1; | 295 | return -ENOMEM; |
| 296 | } | 296 | } |
| 297 | 297 | ||
| 298 | adapter->cmd_pool = cmd_array; | 298 | adapter->cmd_pool = cmd_array; |
diff --git a/drivers/net/wireless/mwifiex/init.c b/drivers/net/wireless/mwifiex/init.c index 27ad72b291b7..6a8fd9989a23 100644 --- a/drivers/net/wireless/mwifiex/init.c +++ b/drivers/net/wireless/mwifiex/init.c | |||
| @@ -41,7 +41,7 @@ static int mwifiex_add_bss_prio_tbl(struct mwifiex_private *priv) | |||
| 41 | if (!bss_prio) { | 41 | if (!bss_prio) { |
| 42 | dev_err(adapter->dev, "%s: failed to alloc bss_prio\n", | 42 | dev_err(adapter->dev, "%s: failed to alloc bss_prio\n", |
| 43 | __func__); | 43 | __func__); |
| 44 | return -1; | 44 | return -ENOMEM; |
| 45 | } | 45 | } |
| 46 | 46 | ||
| 47 | bss_prio->priv = priv; | 47 | bss_prio->priv = priv; |
| @@ -161,7 +161,7 @@ static int mwifiex_allocate_adapter(struct mwifiex_adapter *adapter) | |||
| 161 | if (!temp_scan_table) { | 161 | if (!temp_scan_table) { |
| 162 | dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n", | 162 | dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n", |
| 163 | __func__); | 163 | __func__); |
| 164 | return -1; | 164 | return -ENOMEM; |
| 165 | } | 165 | } |
| 166 | 166 | ||
| 167 | adapter->scan_table = temp_scan_table; | 167 | adapter->scan_table = temp_scan_table; |
diff --git a/drivers/net/wireless/mwifiex/main.c b/drivers/net/wireless/mwifiex/main.c index 38f912b8fcec..44957cac61e1 100644 --- a/drivers/net/wireless/mwifiex/main.c +++ b/drivers/net/wireless/mwifiex/main.c | |||
| @@ -69,7 +69,7 @@ static int mwifiex_register(void *card, struct mwifiex_if_ops *if_ops, | |||
| 69 | 69 | ||
| 70 | adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL); | 70 | adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL); |
| 71 | if (!adapter) | 71 | if (!adapter) |
| 72 | return -1; | 72 | return -ENOMEM; |
| 73 | 73 | ||
| 74 | g_adapter = adapter; | 74 | g_adapter = adapter; |
| 75 | adapter->card = card; | 75 | adapter->card = card; |
| @@ -516,13 +516,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 516 | jiffies, priv->bss_index); | 516 | jiffies, priv->bss_index); |
| 517 | 517 | ||
| 518 | if (priv->adapter->surprise_removed) { | 518 | if (priv->adapter->surprise_removed) { |
| 519 | kfree(skb); | 519 | kfree_skb(skb); |
| 520 | priv->stats.tx_dropped++; | 520 | priv->stats.tx_dropped++; |
| 521 | return 0; | 521 | return 0; |
| 522 | } | 522 | } |
| 523 | if (!skb->len || (skb->len > ETH_FRAME_LEN)) { | 523 | if (!skb->len || (skb->len > ETH_FRAME_LEN)) { |
| 524 | dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len); | 524 | dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len); |
| 525 | kfree(skb); | 525 | kfree_skb(skb); |
| 526 | priv->stats.tx_dropped++; | 526 | priv->stats.tx_dropped++; |
| 527 | return 0; | 527 | return 0; |
| 528 | } | 528 | } |
| @@ -535,7 +535,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) | |||
| 535 | skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN); | 535 | skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN); |
| 536 | if (unlikely(!new_skb)) { | 536 | if (unlikely(!new_skb)) { |
| 537 | dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n"); | 537 | dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n"); |
| 538 | kfree(skb); | 538 | kfree_skb(skb); |
| 539 | priv->stats.tx_dropped++; | 539 | priv->stats.tx_dropped++; |
| 540 | return 0; | 540 | return 0; |
| 541 | } | 541 | } |
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c index 4968974f3427..5c22860fb40a 100644 --- a/drivers/net/wireless/mwifiex/scan.c +++ b/drivers/net/wireless/mwifiex/scan.c | |||
| @@ -2283,7 +2283,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, | |||
| 2283 | GFP_KERNEL); | 2283 | GFP_KERNEL); |
| 2284 | if (!scan_cfg_out) { | 2284 | if (!scan_cfg_out) { |
| 2285 | dev_err(adapter->dev, "failed to alloc scan_cfg_out\n"); | 2285 | dev_err(adapter->dev, "failed to alloc scan_cfg_out\n"); |
| 2286 | return -1; | 2286 | return -ENOMEM; |
| 2287 | } | 2287 | } |
| 2288 | 2288 | ||
| 2289 | buf_size = sizeof(struct mwifiex_chan_scan_param_set) * | 2289 | buf_size = sizeof(struct mwifiex_chan_scan_param_set) * |
| @@ -2292,7 +2292,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, | |||
| 2292 | if (!scan_chan_list) { | 2292 | if (!scan_chan_list) { |
| 2293 | dev_err(adapter->dev, "failed to alloc scan_chan_list\n"); | 2293 | dev_err(adapter->dev, "failed to alloc scan_chan_list\n"); |
| 2294 | kfree(scan_cfg_out); | 2294 | kfree(scan_cfg_out); |
| 2295 | return -1; | 2295 | return -ENOMEM; |
| 2296 | } | 2296 | } |
| 2297 | 2297 | ||
| 2298 | keep_previous_scan = false; | 2298 | keep_previous_scan = false; |
| @@ -2491,7 +2491,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, | |||
| 2491 | GFP_KERNEL); | 2491 | GFP_KERNEL); |
| 2492 | if (!bss_new_entry) { | 2492 | if (!bss_new_entry) { |
| 2493 | dev_err(adapter->dev, " failed to alloc bss_new_entry\n"); | 2493 | dev_err(adapter->dev, " failed to alloc bss_new_entry\n"); |
| 2494 | return -1; | 2494 | return -ENOMEM; |
| 2495 | } | 2495 | } |
| 2496 | 2496 | ||
| 2497 | for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) { | 2497 | for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) { |
| @@ -2881,7 +2881,7 @@ static int mwifiex_scan_specific_ssid(struct mwifiex_private *priv, | |||
| 2881 | scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL); | 2881 | scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL); |
| 2882 | if (!scan_cfg) { | 2882 | if (!scan_cfg) { |
| 2883 | dev_err(adapter->dev, "failed to alloc scan_cfg\n"); | 2883 | dev_err(adapter->dev, "failed to alloc scan_cfg\n"); |
| 2884 | return -1; | 2884 | return -ENOMEM; |
| 2885 | } | 2885 | } |
| 2886 | 2886 | ||
| 2887 | memcpy(scan_cfg->ssid_list[0].ssid, req_ssid->ssid, | 2887 | memcpy(scan_cfg->ssid_list[0].ssid, req_ssid->ssid, |
diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c index 470dbaaeaa02..d425dbd91d19 100644 --- a/drivers/net/wireless/mwifiex/sdio.c +++ b/drivers/net/wireless/mwifiex/sdio.c | |||
| @@ -68,6 +68,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id) | |||
| 68 | 68 | ||
| 69 | if (ret) { | 69 | if (ret) { |
| 70 | pr_err("%s: failed to enable function\n", __func__); | 70 | pr_err("%s: failed to enable function\n", __func__); |
| 71 | kfree(card); | ||
| 71 | return -EIO; | 72 | return -EIO; |
| 72 | } | 73 | } |
| 73 | 74 | ||
| @@ -676,7 +677,7 @@ static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter, | |||
| 676 | if (!fwbuf) { | 677 | if (!fwbuf) { |
| 677 | dev_err(adapter->dev, "unable to alloc buffer for firmware." | 678 | dev_err(adapter->dev, "unable to alloc buffer for firmware." |
| 678 | " Terminating download\n"); | 679 | " Terminating download\n"); |
| 679 | return -1; | 680 | return -ENOMEM; |
| 680 | } | 681 | } |
| 681 | 682 | ||
| 682 | /* Perform firmware data transfer */ | 683 | /* Perform firmware data transfer */ |
| @@ -1605,7 +1606,7 @@ static int mwifiex_init_sdio(struct mwifiex_adapter *adapter) | |||
| 1605 | card->mp_regs = kzalloc(MAX_MP_REGS, GFP_KERNEL); | 1606 | card->mp_regs = kzalloc(MAX_MP_REGS, GFP_KERNEL); |
| 1606 | if (!card->mp_regs) { | 1607 | if (!card->mp_regs) { |
| 1607 | dev_err(adapter->dev, "failed to alloc mp_regs\n"); | 1608 | dev_err(adapter->dev, "failed to alloc mp_regs\n"); |
| 1608 | return -1; | 1609 | return -ENOMEM; |
| 1609 | } | 1610 | } |
| 1610 | 1611 | ||
| 1611 | ret = mwifiex_alloc_sdio_mpa_buffers(adapter, | 1612 | ret = mwifiex_alloc_sdio_mpa_buffers(adapter, |
diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 4585c1bb9fa9..75bca56449cb 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c | |||
| @@ -895,7 +895,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, | |||
| 895 | if (!buf) { | 895 | if (!buf) { |
| 896 | dev_err(priv->adapter->dev, "%s: failed to alloc cmd buffer\n", | 896 | dev_err(priv->adapter->dev, "%s: failed to alloc cmd buffer\n", |
| 897 | __func__); | 897 | __func__); |
| 898 | return -1; | 898 | return -ENOMEM; |
| 899 | } | 899 | } |
| 900 | 900 | ||
| 901 | txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; | 901 | txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; |