1 From 5ea59db8a375216e6c915c5586f556766673b5a7 Mon Sep 17 00:00:00 2001
2 From: "Peter S. Housel" <housel@acm.org>
3 Date: Mon, 12 Jun 2017 11:46:22 +0100
4 Subject: [PATCH] brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
6 An earlier change to this function (3bdae810721b) fixed a leak in the
7 case of an unsuccessful call to brcmf_sdiod_buffrw(). However, the
8 glom_skb buffer, used for emulating a scattering read, is never used
9 or referenced after its contents are copied into the destination
10 buffers, and therefore always needs to be freed by the end of the
13 Fixes: 3bdae810721b ("brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain")
14 Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
15 Cc: stable@vger.kernel.org # 4.9.x-
16 Signed-off-by: Peter S. Housel <housel@acm.org>
17 Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
18 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
20 drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 7 +++----
21 1 file changed, 3 insertions(+), 4 deletions(-)
23 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
24 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
25 @@ -705,7 +705,7 @@ done:
26 int brcmf_sdiod_recv_chain(struct brcmf_sdio_dev *sdiodev,
27 struct sk_buff_head *pktq, uint totlen)
29 - struct sk_buff *glom_skb;
30 + struct sk_buff *glom_skb = NULL;
32 u32 addr = sdiodev->sbwad;
34 @@ -726,10 +726,8 @@ int brcmf_sdiod_recv_chain(struct brcmf_
36 err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
39 - brcmu_pkt_buf_free_skb(glom_skb);
44 skb_queue_walk(pktq, skb) {
45 memcpy(skb->data, glom_skb->data, skb->len);
46 @@ -740,6 +738,7 @@ int brcmf_sdiod_recv_chain(struct brcmf_
50 + brcmu_pkt_buf_free_skb(glom_skb);
projects / openwrt / staging / xback.git / blob