Hi Colin,
On Fri, Feb 26, 2016 at 10:09 AM, Colin King <colin.king@xxxxxxxxxxxxx> wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> If the allocation of ivp fails the error handling attempts to
> free an uninitialized dma_buf; this data structure just contains
> garbage on the stack, so the freeing will cause issues when the
> urb, buf and dma fields are free'd. Fix this by not free'ing the
> dma_buf if the ivp allocation fails.
>
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> ---
> drivers/net/wireless/mediatek/mt7601u/mcu.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt7601u/mcu.c b/drivers/net/wireless/mediatek/mt7601u/mcu.c
> index fbb1986..70e4b5e 100644
> --- a/drivers/net/wireless/mediatek/mt7601u/mcu.c
> +++ b/drivers/net/wireless/mediatek/mt7601u/mcu.c
> @@ -362,10 +362,10 @@ mt7601u_upload_firmware(struct mt7601u_dev *dev, const struct mt76_fw *fw)
> int i, ret;
>
> ivb = kmemdup(fw->ivb, sizeof(fw->ivb), GFP_KERNEL);
> - if (!ivb || mt7601u_usb_alloc_buf(dev, MCU_FW_URB_SIZE, &dma_buf)) {
> - ret = -ENOMEM;
> + if (!ivb)
> + return -ENOMEM;
> + if (mt7601u_usb_alloc_buf(dev, MCU_FW_URB_SIZE, &dma_buf))
> goto error;
Are you sure this is right? Isn't ret unset here and consequently
returned at the end of the error label?
Thanks,
--
Julian Calaby
Email: julian.calaby@xxxxxxxxx
Profile: http://www.google.com/profiles/julian.calaby/
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
