Commit d716e082 authored by Margit Schubert-While's avatar Margit Schubert-While Committed by Linus Torvalds

[PATCH] prism54 Fix memory leaks

* Change the "version" OID to what it should be.
* Fix memory leaks - mgt_get_request always returns
* allocated memory for non-int OIDS (with an exception -
* keep reading). If the caller checks the return and itself
* returns, then it must free memory.
* However, it is possible to return from mgt_get_request
* early (!priv->mib). In this case, weird things can happen
* in isl_ioctl. Quick fix, at least to force an oops, is
* to set the union value to NULL. The real fix is to
* recode all mgt_get_request calls in isl_ioctl.
parent 0391355e
...@@ -820,9 +820,11 @@ prism54_set_rate(struct net_device *ndev, ...@@ -820,9 +820,11 @@ prism54_set_rate(struct net_device *ndev,
return mgt_set_request(priv, DOT11_OID_PROFILES, 0, &profile); return mgt_set_request(priv, DOT11_OID_PROFILES, 0, &profile);
} }
if ((ret = ret = mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r);
mgt_get_request(priv, DOT11_OID_SUPPORTEDRATES, 0, NULL, &r))) if (ret) {
kfree(r.ptr);
return ret; return ret;
}
rate = (u32) (vwrq->value / 500000); rate = (u32) (vwrq->value / 500000);
data = r.ptr; data = r.ptr;
...@@ -840,6 +842,7 @@ prism54_set_rate(struct net_device *ndev, ...@@ -840,6 +842,7 @@ prism54_set_rate(struct net_device *ndev,
} }
if (!data[i]) { if (!data[i]) {
kfree(r.ptr);
return -EINVAL; return -EINVAL;
} }
...@@ -888,8 +891,11 @@ prism54_get_rate(struct net_device *ndev, ...@@ -888,8 +891,11 @@ prism54_get_rate(struct net_device *ndev,
vwrq->value = r.u * 500000; vwrq->value = r.u * 500000;
/* request the device for the enabled rates */ /* request the device for the enabled rates */
if ((rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r))) rvalue = mgt_get_request(priv, DOT11_OID_RATES, 0, NULL, &r);
if (rvalue) {
kfree(r.ptr);
return rvalue; return rvalue;
}
data = r.ptr; data = r.ptr;
vwrq->fixed = (data[0] != 0) && (data[1] == 0); vwrq->fixed = (data[0] != 0) && (data[1] == 0);
kfree(r.ptr); kfree(r.ptr);
......
...@@ -219,7 +219,7 @@ struct oid_t isl_oid[] = { ...@@ -219,7 +219,7 @@ struct oid_t isl_oid[] = {
OID_UNKNOWN(OID_INL_MEMORY, 0xFF020002), OID_UNKNOWN(OID_INL_MEMORY, 0xFF020002),
OID_U32_C(OID_INL_MODE, 0xFF020003), OID_U32_C(OID_INL_MODE, 0xFF020003),
OID_UNKNOWN(OID_INL_COMPONENT_NR, 0xFF020004), OID_UNKNOWN(OID_INL_COMPONENT_NR, 0xFF020004),
OID_UNKNOWN(OID_INL_VERSION, 0xFF020005), OID_STRUCT(OID_INL_VERSION, 0xFF020005, u8[8], OID_TYPE_RAW),
OID_UNKNOWN(OID_INL_INTERFACE_ID, 0xFF020006), OID_UNKNOWN(OID_INL_INTERFACE_ID, 0xFF020006),
OID_UNKNOWN(OID_INL_COMPONENT_ID, 0xFF020007), OID_UNKNOWN(OID_INL_COMPONENT_ID, 0xFF020007),
OID_U32_C(OID_INL_CONFIG, 0xFF020008), OID_U32_C(OID_INL_CONFIG, 0xFF020008),
...@@ -481,6 +481,8 @@ mgt_get_request(islpci_private *priv, enum oid_num_t n, int extra, void *data, ...@@ -481,6 +481,8 @@ mgt_get_request(islpci_private *priv, enum oid_num_t n, int extra, void *data,
BUG_ON(OID_NUM_LAST <= n); BUG_ON(OID_NUM_LAST <= n);
BUG_ON(extra > isl_oid[n].range); BUG_ON(extra > isl_oid[n].range);
res->ptr = NULL;
if (!priv->mib) if (!priv->mib)
/* memory has been freed */ /* memory has been freed */
return -1; return -1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment