Re: [PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
-- On Sun, Mar 30, 2014 10:31 PM BST Larry Finger wrote: >On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: > If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) > while usb_get_dev(udev) is not called yet. As a result refcnt is decremented > incorrectly and usb_dev can be used after memory deallocation. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov > --- > >Acked-by: Larry Finger > >Thanks, > >Larry Acked-by: Hin-Tak Leung Hin-Tak > > drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c > b/drivers/net/wireless/rtl818x/rtl8187/dev.c > index fd78df813a85..d7f540a9dc9b 100644 > --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c > +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c > @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, > > err_free_dmabuf: > kfree(priv->io_dmabuf); > - err_free_dev: > - ieee80211_free_hw(dev); > usb_set_intfdata(intf, NULL); > usb_put_dev(udev); > + err_free_dev: > + ieee80211_free_hw(dev); > return err; > } > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
-- On Sun, Mar 30, 2014 10:31 PM BST Larry Finger wrote: On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov khoroshi...@ispras.ru --- Acked-by: Larry Finger larry.fin...@lwfinger.net Thanks, Larry Acked-by: Hin-Tak Leung ht...@users.sourceforge.net Hin-Tak drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv-io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov --- Acked-by: Larry Finger Thanks, Larry drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv->io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; } -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
On 03/28/2014 03:26 PM, Alexey Khoroshilov wrote: If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov khoroshi...@ispras.ru --- Acked-by: Larry Finger larry.fin...@lwfinger.net Thanks, Larry drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv-io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; } -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov --- drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv->io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] rtl8187: fix use after free on failure path in rtl8187_probe()
If allocation of io_dmabuf fails, rtl8187_probe() calls usb_put_dev(udev) while usb_get_dev(udev) is not called yet. As a result refcnt is decremented incorrectly and usb_dev can be used after memory deallocation. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov khoroshi...@ispras.ru --- drivers/net/wireless/rtl818x/rtl8187/dev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187/dev.c b/drivers/net/wireless/rtl818x/rtl8187/dev.c index fd78df813a85..d7f540a9dc9b 100644 --- a/drivers/net/wireless/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/rtl818x/rtl8187/dev.c @@ -1636,10 +1636,10 @@ static int rtl8187_probe(struct usb_interface *intf, err_free_dmabuf: kfree(priv-io_dmabuf); - err_free_dev: - ieee80211_free_hw(dev); usb_set_intfdata(intf, NULL); usb_put_dev(udev); + err_free_dev: + ieee80211_free_hw(dev); return err; } -- 1.8.3.2 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
