From: Arend van Spriel Date: Thu, 7 Aug 2014 12:45:09 +0000 (+0200) Subject: brcmfmac: fix memory leakage in msgbuf X-Git-Tag: firefly_0821_release~176^2~3384^2^2~2 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=2d116b8849474bfce8f8dac5ef671d0d7053c6fc;p=firefly-linux-kernel-4.4.55.git brcmfmac: fix memory leakage in msgbuf The kbuild robot came up with the following warning: tree: .../kernel/git/linville/wireless-next.git master head: dc6be9f54a4ecb0a09765d1f515ed947d86b7528 commit: 9a1bb60250d2b6b546a62e5b73f55c4f1d22016b [5/13] brcmfmac: Adding msgbuf protocol. coccinelle warnings: drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c:1309:1-28: alloc with no test, possible model on line 1318 Looking into the issue, it turned out that the referred allocation buffer was not being released in failure path nor upon module unload. Reported-by: Fengguang Wu Reviewed-by: Franky (Zhenhui) Lin Reviewed-by: Daniel (Deognyoun) Kim Reviewed-by: Pieter-Paul Giesberts Signed-off-by: Arend van Spriel Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c index 535c7eb01b3a..8f8b9373de95 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c @@ -1318,6 +1318,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr) msgbuf->nrof_flowrings = if_msgbuf->nrof_flowrings; msgbuf->flowring_dma_handle = kzalloc(msgbuf->nrof_flowrings * sizeof(*msgbuf->flowring_dma_handle), GFP_ATOMIC); + if (!msgbuf->flowring_dma_handle) + goto fail; msgbuf->rx_dataoffset = if_msgbuf->rx_dataoffset; msgbuf->max_rxbufpost = if_msgbuf->max_rxbufpost; @@ -1362,6 +1364,7 @@ fail: kfree(msgbuf->flow_map); kfree(msgbuf->txstatus_done_map); brcmf_msgbuf_release_pktids(msgbuf); + kfree(msgbuf->flowring_dma_handle); if (msgbuf->ioctbuf) dma_free_coherent(drvr->bus_if->dev, BRCMF_TX_IOCTL_MAX_MSG_SIZE, @@ -1391,6 +1394,7 @@ void brcmf_proto_msgbuf_detach(struct brcmf_pub *drvr) BRCMF_TX_IOCTL_MAX_MSG_SIZE, msgbuf->ioctbuf, msgbuf->ioctbuf_handle); brcmf_msgbuf_release_pktids(msgbuf); + kfree(msgbuf->flowring_dma_handle); kfree(msgbuf); drvr->proto->pd = NULL; }