Commit b53575ec authored by Christoph Fritz's avatar Christoph Fritz Committed by John W. Linville

mwifiex: fix null derefs, mem leaks and trivia

This patch:
 - adds kfree() where necessary
 - prevents potential null dereferences
 - makes use of kfree_skb()
 - replaces -1 for failed kzallocs with -ENOMEM
Signed-off-by: default avatarChristoph Fritz <chf.fritz@googlemail.com>
Reviewed-by: default avatarKiran Divekar <dkiran@marvell.com>
Tested-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
Acked-by: default avatarBing Zhao <bzhao@marvell.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 3ed3f494
...@@ -318,6 +318,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, ...@@ -318,6 +318,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
else else
skb_src = NULL; skb_src = NULL;
if (skb_src)
pra_list->total_pkts_size -= skb_src->len; pra_list->total_pkts_size -= skb_src->len;
spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock,
...@@ -373,6 +374,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, ...@@ -373,6 +374,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
(adapter->pps_uapsd_mode) && (adapter->pps_uapsd_mode) &&
(adapter->tx_lock_flag)) { (adapter->tx_lock_flag)) {
priv->adapter->tx_lock_flag = false; priv->adapter->tx_lock_flag = false;
if (ptx_pd)
ptx_pd->flags = 0; ptx_pd->flags = 0;
} }
......
...@@ -1255,8 +1255,10 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, ...@@ -1255,8 +1255,10 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac,
wdev->wiphy = wdev->wiphy =
wiphy_new(&mwifiex_cfg80211_ops, wiphy_new(&mwifiex_cfg80211_ops,
sizeof(struct mwifiex_private *)); sizeof(struct mwifiex_private *));
if (!wdev->wiphy) if (!wdev->wiphy) {
kfree(wdev);
return -ENOMEM; return -ENOMEM;
}
wdev->iftype = NL80211_IFTYPE_STATION; wdev->iftype = NL80211_IFTYPE_STATION;
wdev->wiphy->max_scan_ssids = 10; wdev->wiphy->max_scan_ssids = 10;
wdev->wiphy->interface_modes = wdev->wiphy->interface_modes =
...@@ -1296,6 +1298,7 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac, ...@@ -1296,6 +1298,7 @@ int mwifiex_register_cfg80211(struct net_device *dev, u8 *mac,
dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n", dev_err(priv->adapter->dev, "%s: registering cfg80211 device\n",
__func__); __func__);
wiphy_free(wdev->wiphy); wiphy_free(wdev->wiphy);
kfree(wdev);
return ret; return ret;
} else { } else {
dev_dbg(priv->adapter->dev, dev_dbg(priv->adapter->dev,
......
...@@ -292,7 +292,7 @@ int mwifiex_alloc_cmd_buffer(struct mwifiex_adapter *adapter) ...@@ -292,7 +292,7 @@ int mwifiex_alloc_cmd_buffer(struct mwifiex_adapter *adapter)
if (!cmd_array) { if (!cmd_array) {
dev_err(adapter->dev, "%s: failed to alloc cmd_array\n", dev_err(adapter->dev, "%s: failed to alloc cmd_array\n",
__func__); __func__);
return -1; return -ENOMEM;
} }
adapter->cmd_pool = cmd_array; adapter->cmd_pool = cmd_array;
......
...@@ -41,7 +41,7 @@ static int mwifiex_add_bss_prio_tbl(struct mwifiex_private *priv) ...@@ -41,7 +41,7 @@ static int mwifiex_add_bss_prio_tbl(struct mwifiex_private *priv)
if (!bss_prio) { if (!bss_prio) {
dev_err(adapter->dev, "%s: failed to alloc bss_prio\n", dev_err(adapter->dev, "%s: failed to alloc bss_prio\n",
__func__); __func__);
return -1; return -ENOMEM;
} }
bss_prio->priv = priv; bss_prio->priv = priv;
...@@ -161,7 +161,7 @@ static int mwifiex_allocate_adapter(struct mwifiex_adapter *adapter) ...@@ -161,7 +161,7 @@ static int mwifiex_allocate_adapter(struct mwifiex_adapter *adapter)
if (!temp_scan_table) { if (!temp_scan_table) {
dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n", dev_err(adapter->dev, "%s: failed to alloc temp_scan_table\n",
__func__); __func__);
return -1; return -ENOMEM;
} }
adapter->scan_table = temp_scan_table; adapter->scan_table = temp_scan_table;
......
...@@ -69,7 +69,7 @@ static int mwifiex_register(void *card, struct mwifiex_if_ops *if_ops, ...@@ -69,7 +69,7 @@ static int mwifiex_register(void *card, struct mwifiex_if_ops *if_ops,
adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL); adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL);
if (!adapter) if (!adapter)
return -1; return -ENOMEM;
g_adapter = adapter; g_adapter = adapter;
adapter->card = card; adapter->card = card;
...@@ -516,13 +516,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -516,13 +516,13 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
jiffies, priv->bss_index); jiffies, priv->bss_index);
if (priv->adapter->surprise_removed) { if (priv->adapter->surprise_removed) {
kfree(skb); kfree_skb(skb);
priv->stats.tx_dropped++; priv->stats.tx_dropped++;
return 0; return 0;
} }
if (!skb->len || (skb->len > ETH_FRAME_LEN)) { if (!skb->len || (skb->len > ETH_FRAME_LEN)) {
dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len); dev_err(priv->adapter->dev, "Tx: bad skb len %d\n", skb->len);
kfree(skb); kfree_skb(skb);
priv->stats.tx_dropped++; priv->stats.tx_dropped++;
return 0; return 0;
} }
...@@ -535,7 +535,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -535,7 +535,7 @@ mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN); skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN);
if (unlikely(!new_skb)) { if (unlikely(!new_skb)) {
dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n"); dev_err(priv->adapter->dev, "Tx: cannot alloca new_skb\n");
kfree(skb); kfree_skb(skb);
priv->stats.tx_dropped++; priv->stats.tx_dropped++;
return 0; return 0;
} }
......
...@@ -2283,7 +2283,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, ...@@ -2283,7 +2283,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv,
GFP_KERNEL); GFP_KERNEL);
if (!scan_cfg_out) { if (!scan_cfg_out) {
dev_err(adapter->dev, "failed to alloc scan_cfg_out\n"); dev_err(adapter->dev, "failed to alloc scan_cfg_out\n");
return -1; return -ENOMEM;
} }
buf_size = sizeof(struct mwifiex_chan_scan_param_set) * buf_size = sizeof(struct mwifiex_chan_scan_param_set) *
...@@ -2292,7 +2292,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv, ...@@ -2292,7 +2292,7 @@ int mwifiex_scan_networks(struct mwifiex_private *priv,
if (!scan_chan_list) { if (!scan_chan_list) {
dev_err(adapter->dev, "failed to alloc scan_chan_list\n"); dev_err(adapter->dev, "failed to alloc scan_chan_list\n");
kfree(scan_cfg_out); kfree(scan_cfg_out);
return -1; return -ENOMEM;
} }
keep_previous_scan = false; keep_previous_scan = false;
...@@ -2491,7 +2491,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv, ...@@ -2491,7 +2491,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
GFP_KERNEL); GFP_KERNEL);
if (!bss_new_entry) { if (!bss_new_entry) {
dev_err(adapter->dev, " failed to alloc bss_new_entry\n"); dev_err(adapter->dev, " failed to alloc bss_new_entry\n");
return -1; return -ENOMEM;
} }
for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) { for (idx = 0; idx < scan_rsp->number_of_sets && bytes_left; idx++) {
...@@ -2881,7 +2881,7 @@ static int mwifiex_scan_specific_ssid(struct mwifiex_private *priv, ...@@ -2881,7 +2881,7 @@ static int mwifiex_scan_specific_ssid(struct mwifiex_private *priv,
scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL); scan_cfg = kzalloc(sizeof(struct mwifiex_user_scan_cfg), GFP_KERNEL);
if (!scan_cfg) { if (!scan_cfg) {
dev_err(adapter->dev, "failed to alloc scan_cfg\n"); dev_err(adapter->dev, "failed to alloc scan_cfg\n");
return -1; return -ENOMEM;
} }
memcpy(scan_cfg->ssid_list[0].ssid, req_ssid->ssid, memcpy(scan_cfg->ssid_list[0].ssid, req_ssid->ssid,
......
...@@ -68,6 +68,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id) ...@@ -68,6 +68,7 @@ mwifiex_sdio_probe(struct sdio_func *func, const struct sdio_device_id *id)
if (ret) { if (ret) {
pr_err("%s: failed to enable function\n", __func__); pr_err("%s: failed to enable function\n", __func__);
kfree(card);
return -EIO; return -EIO;
} }
...@@ -676,7 +677,7 @@ static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter, ...@@ -676,7 +677,7 @@ static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter,
if (!fwbuf) { if (!fwbuf) {
dev_err(adapter->dev, "unable to alloc buffer for firmware." dev_err(adapter->dev, "unable to alloc buffer for firmware."
" Terminating download\n"); " Terminating download\n");
return -1; return -ENOMEM;
} }
/* Perform firmware data transfer */ /* Perform firmware data transfer */
...@@ -1605,7 +1606,7 @@ static int mwifiex_init_sdio(struct mwifiex_adapter *adapter) ...@@ -1605,7 +1606,7 @@ static int mwifiex_init_sdio(struct mwifiex_adapter *adapter)
card->mp_regs = kzalloc(MAX_MP_REGS, GFP_KERNEL); card->mp_regs = kzalloc(MAX_MP_REGS, GFP_KERNEL);
if (!card->mp_regs) { if (!card->mp_regs) {
dev_err(adapter->dev, "failed to alloc mp_regs\n"); dev_err(adapter->dev, "failed to alloc mp_regs\n");
return -1; return -ENOMEM;
} }
ret = mwifiex_alloc_sdio_mpa_buffers(adapter, ret = mwifiex_alloc_sdio_mpa_buffers(adapter,
......
...@@ -895,7 +895,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, ...@@ -895,7 +895,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv,
if (!buf) { if (!buf) {
dev_err(priv->adapter->dev, "%s: failed to alloc cmd buffer\n", dev_err(priv->adapter->dev, "%s: failed to alloc cmd buffer\n",
__func__); __func__);
return -1; return -ENOMEM;
} }
txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment