[PATCH] staging: comedi: remove duplicate pointer assignments in attach functions
Some board pointer are assigned twice via comedi_board() in the comedi low
level driver attach functions. Remove the duplicate assignment from the
variable definition where the pointer is not used anyway until assigned later
in the function when dev->board_ptr, that comedi_board() relies on, is setup
correctly.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/das1800.c | 2 +-
drivers/staging/comedi/drivers/das800.c | 2 +-
drivers/staging/comedi/drivers/dt2801.c | 2 +-
drivers/staging/comedi/drivers/ni_at_a2150.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/comedi/drivers/das1800.c
b/drivers/staging/comedi/drivers/das1800.c
index d581029..0335a70 100644
--- a/drivers/staging/comedi/drivers/das1800.c
+++ b/drivers/staging/comedi/drivers/das1800.c
@@ -1479,7 +1479,7 @@ static int das1800_probe(struct comedi_device *dev)
static int das1800_attach(struct comedi_device *dev,
struct comedi_devconfig *it)
{
- const struct das1800_board *thisboard = comedi_board(dev);
+ const struct das1800_board *thisboard;
struct das1800_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
diff --git a/drivers/staging/comedi/drivers/das800.c
b/drivers/staging/comedi/drivers/das800.c
index b23a12c..e2dc43d 100644
--- a/drivers/staging/comedi/drivers/das800.c
+++ b/drivers/staging/comedi/drivers/das800.c
@@ -683,7 +683,7 @@ static int das800_probe(struct comedi_device *dev)
static int das800_attach(struct comedi_device *dev, struct comedi_devconfig
*it)
{
- const struct das800_board *thisboard = comedi_board(dev);
+ const struct das800_board *thisboard;
struct das800_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
diff --git a/drivers/staging/comedi/drivers/dt2801.c
b/drivers/staging/comedi/drivers/dt2801.c
index d4d4e4b..4263014 100644
--- a/drivers/staging/comedi/drivers/dt2801.c
+++ b/drivers/staging/comedi/drivers/dt2801.c
@@ -545,7 +545,7 @@ static int dt2801_dio_insn_config(struct comedi_device *dev,
*/
static int dt2801_attach(struct comedi_device *dev, struct comedi_devconfig
*it)
{
- const struct dt2801_board *board = comedi_board(dev);
+ const struct dt2801_board *board;
struct dt2801_private *devpriv;
struct comedi_subdevice *s;
int board_code, type;
diff --git a/drivers/staging/comedi/drivers/ni_at_a2150.c
b/drivers/staging/comedi/drivers/ni_at_a2150.c
index afbf251..fefd97e 100644
--- a/drivers/staging/comedi/drivers/ni_at_a2150.c
+++ b/drivers/staging/comedi/drivers/ni_at_a2150.c
@@ -695,7 +695,7 @@ static int a2150_probe(struct comedi_device *dev)
static int a2150_attach(struct comedi_device *dev, struct comedi_devconfig *it)
{
- const struct a2150_board *thisboard = comedi_board(dev);
+ const struct a2150_board *thisboard;
struct a2150_private *devpriv;
struct comedi_subdevice *s;
unsigned int irq = it->options[1];
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8723au: Remove unused pointer in rtw_wdev_free()
Pointer 'pwdev_priv' in function rtw_wdev_free() is unused - thus remove it.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index ca100dc..be89741 100644
--- a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
@@ -3576,15 +3576,11 @@ exit:
void rtw_wdev_free(struct wireless_dev *wdev)
{
- struct rtw_wdev_priv *pwdev_priv;
-
DBG_8723A("%s(wdev =%p)\n", __func__, wdev);
if (!wdev)
return;
- pwdev_priv = wdev_to_priv(wdev);
-
kfree(wdev->wiphy->bands[IEEE80211_BAND_2GHZ]);
kfree(wdev->wiphy->bands[IEEE80211_BAND_5GHZ]);
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused.
Thus remove it.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2bf8964 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6372,13 +6372,10 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
{
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
for (idx_dev = 0, dev = bpctl_dev_arr;
idx_dev < device_num && dev->pdev;
idx_dev++, dev++) {
if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
if (is_bypass_fn(dev)) {
printk(KERN_INFO "%s found, ",
dev->name);
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: silicom: Remove needless calls of get_status_port_fn()
Remove a needless pointer initialisation and call to get_status_port_fn()
in functions remove_bypass_tpl_auto() and set_tpl_fn(). Variable
'pbpctl_dev_b' is set correctly later in the function before first use.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 2bf8964..fd2adf4 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -4735,10 +4735,9 @@ static void bp_tpl_timer_fn(unsigned long param)
static void remove_bypass_tpl_auto(struct bpctl_dev *pbpctl_dev)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
if (pbpctl_dev->bp_caps & TPL_CAP) {
del_timer_sync(&pbpctl_dev->bp_tpl_timer);
@@ -4785,12 +4784,10 @@ static int set_bypass_tpl_auto(struct bpctl_dev
*pbpctl_dev, unsigned int param)
static int set_tpl_fn(struct bpctl_dev *pbpctl_dev, int tpl_mode)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return -1;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
-
if (pbpctl_dev->bp_caps & TPL_CAP) {
if (tpl_mode) {
pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused. Thus remove
it. With the last variable declaration gone, there is no more need for an own
block. Remove it and adapt the indenting accordingly.
Signed-off-by: Christian Engelmayer
---
v2: Added changes requested by Dan Carpenter:
Dan pointed out that with the declaration gone, the indent block shall be
removed. This was intentionally left out in v1 in order to keep the
changeset more readable. However, according to the input, also with the
additional indenting change this still qualifies for one logical change.
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 41 +++--
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2fb9a6f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6371,33 +6371,26 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
- {
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
- for (idx_dev = 0, dev = bpctl_dev_arr;
-idx_dev < device_num && dev->pdev;
-idx_dev++, dev++) {
- if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
- if (is_bypass_fn(dev)) {
- printk(KERN_INFO "%s found, ",
- dev->name);
- dev->bp_fw_ver = bypass_fw_ver(dev);
- printk("firmware version: 0x%x\n",
- dev->bp_fw_ver);
- }
- dev->wdt_status = WDT_STATUS_UNKNOWN;
- dev->reset_time = 0;
- atomic_set(&dev->wdt_busy, 0);
- dev->bp_status_un = 1;
-
- bypass_caps_init(dev);
-
- init_bypass_wd_auto(dev);
- init_bypass_tpl_auto(dev);
+ for (idx_dev = 0, dev = bpctl_dev_arr;
+idx_dev < device_num && dev->pdev;
+idx_dev++, dev++) {
+ if (dev->bp_10g9) {
+ if (is_bypass_fn(dev)) {
+ printk(KERN_INFO "%s found, ", dev->name);
+ dev->bp_fw_ver = bypass_fw_ver(dev);
+ printk("firmware version: 0x%x\n",
+ dev->bp_fw_ver);
}
+ dev->wdt_status = WDT_STATUS_UNKNOWN;
+ dev->reset_time = 0;
+ atomic_set(&dev->wdt_busy, 0);
+ dev->bp_status_un = 1;
+
+ bypass_caps_init(dev);
+ init_bypass_wd_auto(dev);
+ init_bypass_tpl_auto(dev);
}
}
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: vt6656: Fix possible leak in vnt_download_firmware()
When failing to allocate buffer memory, function vnt_download_firmware() goes
through the wrong exit path and fails to release the already requested
firmware. Thus use the correct cleanup. Detected by Coverity CID 1269128.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against branch staging-next.
---
drivers/staging/vt6656/firmware.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/vt6656/firmware.c
b/drivers/staging/vt6656/firmware.c
index a177645af83e..d440f284bf18 100644
--- a/drivers/staging/vt6656/firmware.c
+++ b/drivers/staging/vt6656/firmware.c
@@ -61,7 +61,7 @@ int vnt_download_firmware(struct vnt_private *priv)
buffer = kmalloc(FIRMWARE_CHUNK_SIZE, GFP_KERNEL);
if (!buffer)
- goto out;
+ goto free_fw;
for (ii = 0; ii < fw->size; ii += FIRMWARE_CHUNK_SIZE) {
length = min_t(int, fw->size - ii, FIRMWARE_CHUNK_SIZE);
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8188eu: Fix possible leak in rtl88eu_download_fw()
Function rtl88eu_download_fw() may leak the memory of the already requested
firmware data due to direct returns in the error paths. Ensure cleanup by
using a centralized exit path. Detected by Coverity CID 1269127.
Signed-off-by: Christian Engelmayer
---
Compile tested only. Applies against branch staging-next.
---
drivers/staging/rtl8188eu/hal/fw.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8188eu/hal/fw.c
b/drivers/staging/rtl8188eu/hal/fw.c
index 3b2875481fc5..1b57ca49af5f 100644
--- a/drivers/staging/rtl8188eu/hal/fw.c
+++ b/drivers/staging/rtl8188eu/hal/fw.c
@@ -201,17 +201,19 @@ int rtl88eu_download_fw(struct adapter *adapt)
if (fw->size > FW_8188E_SIZE) {
dev_err(device, "Firmware size exceed 0x%X. Check it.\n",
FW_8188E_SIZE);
- return -1;
+ err = -1;
+ goto exit;
}
pfwdata = kzalloc(FW_8188E_SIZE, GFP_KERNEL);
- if (!pfwdata)
- return -ENOMEM;
+ if (!pfwdata) {
+ err = -ENOMEM;
+ goto exit;
+ }
rtlhal->pfirmware = pfwdata;
memcpy(rtlhal->pfirmware, fw->data, fw->size);
rtlhal->fwsize = fw->size;
- release_firmware(fw);
fwsize = rtlhal->fwsize;
pfwheader = (struct rtl92c_firmware_header *)pfwdata;
@@ -232,5 +234,7 @@ int rtl88eu_download_fw(struct adapter *adapt)
err = _rtl88e_fw_free_to_go(adapt);
+exit:
+ release_firmware(fw);
return err;
}
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: vt6655: Fix memory leak in wpa_ioctl()
Fix a memory leak in the wpa_ioctl() error handling path so that 'param' is
also freed correctly in case of an unsupported ioctl.
Detected by Coverity: CID 144380.
Signed-off-by: Christian Engelmayer
---
drivers/staging/vt6655/wpactl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/vt6655/wpactl.c b/drivers/staging/vt6655/wpactl.c
index 044368a..2315d67 100644
--- a/drivers/staging/vt6655/wpactl.c
+++ b/drivers/staging/vt6655/wpactl.c
@@ -923,8 +923,8 @@ int wpa_ioctl(PSDevice pDevice, struct iw_point *p)
default:
DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "wpa_ioctl: unknown
cmd=%d\n",
param->cmd);
- return -EOPNOTSUPP;
- break;
+ ret = -EOPNOTSUPP;
+ goto out;
}
if ((ret == 0) && wpa_ioctl) {
--
1.8.3.2
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 5/5] staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk()
Function rtw_mp_pwrtrk() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - 1077715.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 28 --
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index ea5e1f8..f04aaa3 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7119,15 +7119,15 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
{
u8 enable;
u32 thermal;
- s32 ret;
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->length, GFP_KERNEL);
+ int ret = 0;
if (!input)
return -ENOMEM;
if (copy_from_user(input, wrqu->pointer, wrqu->length)) {
- kfree(input);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
_rtw_memset(extra, 0, wrqu->length);
@@ -7138,22 +7138,28 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
sprintf(extra, "mp tx power tracking stop");
} else if (sscanf(input, "ther =%d", &thermal)) {
ret = Hal_SetThermalMeter(padapter,
(u8)thermal);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
sprintf(extra, "mp tx power tracking start,
target value =%d ok ", thermal);
} else {
- kfree(input);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
- kfree(input);
ret = Hal_SetPowerTracking(padapter, enable);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
wrqu->length = strlen(extra);
- return 0;
+
+exit:
+ kfree(input);
+ return ret;
}
static int rtw_mp_psd(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 3/5] staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv()
Function rtw_mp_QueryDrv() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077713.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 1bd476d..8b1579b 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7350,12 +7350,15 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 qAutoLoad = 1;
struct eeprom_priv *pEEPROM = GET_EEPROM_EFUSE_PRIV(padapter);
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */
@@ -7369,8 +7372,10 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
sprintf(extra, "ok");
}
wrqu->data.length = strlen(extra) + 1;
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_set(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 0/5] staging: rtl8188eu: fix Coverity defects in os_dep/ioctl_linux.c
This is a cleanup of staging/rtl8188eu/os_dep/ioctl_linux.c regarding Coverity resource leak findings. The changes leave the current implementation intact and just attack the problems in the error paths, however, it seems that we could get easily rid of some of the mallocs altogether. char *input = kmalloc(wrqu->data.length, GFP_KERNEL); copy_from_user(input, wrqu->data.pointer, wrqu->data.length); qAutoLoad = strncmp(input, "autoload", 8); The series is compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (5): staging: rtl8188eu: fix potential leak in rtw_wx_read32() staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 69 +- 1 file changed, 45 insertions(+), 24 deletions(-) -- 1.9.1 signature.asc Description: PGP signature ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 4/5] staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath()
Function rtw_mp_SetRFPath() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077714.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 8b1579b..ea5e1f8 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7321,11 +7321,14 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 bMain = 1, bTurnoff = 1;
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
bMain = strncmp(input, "1", 2); /* strncmp true is 0 */
@@ -7338,8 +7341,10 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
MP_PHY_SetRFPathSwitch(padapter, false);
DBG_88E("%s:PHY_SetRFPathSwitch = false\n", __func__);
}
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_QueryDrv(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 2/5] staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext()
Function rtw_wx_set_enc_ext() dynamically allocates a temporary buffer that is not freed in all error paths. Use a centralized exit path and make sure that all memory is freed correctly. Detected by Coverity - CID 1077712. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index 45b47e2..1bd476d 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -2097,7 +2097,8 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, alg_name = "CCMP"; break; default: - return -1; + ret = -1; + goto exit; } strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); @@ -2124,6 +2125,7 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, ret = wpa_set_encryption(dev, param, param_len); +exit: kfree(param); return ret; } -- 1.9.1 signature.asc Description: PGP signature ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 1/5] staging: rtl8188eu: fix potential leak in rtw_wx_read32()
Function rtw_wx_read32() dynamically allocates a temporary buffer that is not
freed in all error paths. Use a centralized exit path and make sure that all
memory is freed correctly. Detected by Coverity - CID 1077711.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index cf30a08..45b47e2 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev,
u32 bytes;
u8 *ptmp;
int rv;
+ int ret = 0;
padapter = (struct adapter *)rtw_netdev_priv(dev);
p = &wrqu->data;
@@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev,
return -ENOMEM;
if (copy_from_user(ptmp, p->pointer, len)) {
- kfree(ptmp);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
bytes = 0;
addr = 0;
rv = sscanf(ptmp, "%d,%x", &bytes, &addr);
if (rv != 2) {
- kfree(ptmp);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
switch (bytes) {
@@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev,
break;
default:
DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n",
__func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr,
extra);
+exit:
kfree(ptmp);
- return 0;
+ return ret;
}
static int rtw_wx_write32(struct net_device *dev,
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: comedi: remove duplicate pointer assignments in attach functions
On Mon, 28 Apr 2014 22:36:13 +, Hartley Sweeten
wrote:
> Technically, these drivers are fine as-is.
They are. The proposed change falls under minor code maintenance only.
> They are all legacy comedi drivers and use the manual attach mechanism. The
> dev->board pointer is setup by the comedi core before calling the drivers
> (*attach) so the foo = comedi_board(dev) is getting the board pointer that
> was found by the core.
> Unlike most comedi legacy drivers, these drivers then do an additional "probe"
> to try and identify the board. This could result in the dev->board_ptr getting
> changed which requires updating the local variable for the board pointer.
The point is that while updating dev->board_ptr is necessary in case of the
manual attach use case, deriving the local pointer before dev->board_ptr is
decided is not. Furthermore it might be a bit risky to already have a local
pointer to a valid, but potentially wrong comedi struct preselected by the
core, although it cannot be used safely anyway until overwritten after the
manual probe is done.
Having had a short look over the comedi code I was under the impression that
the change would make the 4 affected functions consistent to the other parts
that seemingly follow the skeleton.
static int skel_attach(struct comedi_device *dev, struct
comedi_devconfig *it)
{
const struct skel_board *thisboard;
struct skel_private *devpriv;
/*
* If you can probe the device to determine what device in a
series
* it is, this is the place to do it. Otherwise, dev->board_ptr
* should already be initialized.
*/
/* dev->board_ptr = skel_probe(dev, it); */
thisboard = comedi_board(dev);
> These probe functions need to be looked at to see if they are actually needed.
> For now I would prefer that the existing code stay as-is.
That added about the intention of the patch, I'm fine if You want to question
the necessity of the probes as a whole and keep the legacy code meanwhile
untouched.
Regards,
Christian
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..275ae7b 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1729,13 +1729,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
if (pcmd == NULL) {
res = _FAIL; /* try again */
- goto exit;
+ goto fail_noobj;
}
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto fail_noparm;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1783,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto fail;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1792,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+fail:
+ kfree(psetkeyparm);
+fail_noparm:
+ kfree(pcmd);
+fail_noobj:
return res;
}
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
v2: Added changes requested by Dan Carpenter:
* Just return directly where no cleanup is needed.
* Prefer naming labels by the labeled action rather than the goto location.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..155282e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1727,15 +1727,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
int res = _SUCCESS;
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
- if (pcmd == NULL) {
- res = _FAIL; /* try again */
- goto exit;
- }
+ if (pcmd == NULL)
+ return _FAIL; /* try again */
+
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto err_free_cmd;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1782,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1791,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
return res;
}
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()
Fix a potential leak in the error path of r871x_wx_set_enc_ext(). In case the
requested algorithm is not supported by the driver, the function returns
without freeing the already allocated 'param' struct. Move the input
verification to the beginning of the function so that the direct return is
safe. Detected by Coverity - CID 144373.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 23d539d..1eca992 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -1801,13 +1801,6 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
u32 param_len;
int ret = 0;
- param_len = sizeof(struct ieee_param) + pext->key_len;
- param = (struct ieee_param *)_malloc(param_len);
- if (param == NULL)
- return -ENOMEM;
- memset(param, 0, param_len);
- param->cmd = IEEE_CMD_SET_ENCRYPTION;
- memset(param->sta_addr, 0xff, ETH_ALEN);
switch (pext->alg) {
case IW_ENCODE_ALG_NONE:
alg_name = "none";
@@ -1824,6 +1817,15 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
default:
return -EINVAL;
}
+
+ param_len = sizeof(struct ieee_param) + pext->key_len;
+ param = (struct ieee_param *)_malloc(param_len);
+ if (param == NULL)
+ return -ENOMEM;
+ memset(param, 0, param_len);
+ param->cmd = IEEE_CMD_SET_ENCRYPTION;
+ memset(param->sta_addr, 0xff, ETH_ALEN);
+
strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
if (pext->ext_flags & IW_ENCODE_EXT_GROUP_KEY)
param->u.crypt.set_tx = 0;
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie(). Make sure that allocated memory for 'pbackup_remainder_ie' is freed upon return. Detected by Coverity - CID 1077718. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/rtl8723au/core/rtw_ap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c b/drivers/staging/rtl8723au/core/rtw_ap.c index 9b31412..f2c78a7 100644 --- a/drivers/staging/rtl8723au/core/rtw_ap.c +++ b/drivers/staging/rtl8723au/core/rtw_ap.c @@ -1276,7 +1276,7 @@ static void update_bcn_wps_ie(struct rtw_adapter *padapter) pwps_ie_src = pmlmepriv->wps_beacon_ie; if (pwps_ie_src == NULL) - return; + goto exit; wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */ if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ) @@ -1291,8 +1291,8 @@ static void update_bcn_wps_ie(struct rtw_adapter *padapter) pnetwork->IELength = wps_offset + (wps_ielen+2) + remainder_ielen; } - if (pbackup_remainder_ie) - kfree(pbackup_remainder_ie); +exit: + kfree(pbackup_remainder_ie); } static void update_bcn_p2p_ie(struct rtw_adapter *padapter) -- 1.9.1 signature.asc Description: PGP signature ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Make sure that allocated memory for 'pbackup_remainder_ie' is freed
upon return. Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..6268f44 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1325,7 +1325,7 @@ static void update_bcn_wps_ie(struct adapter *padapter)
pwps_ie_src = pmlmepriv->wps_beacon_ie;
if (pwps_ie_src == NULL)
- return;
+ goto exit;
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
@@ -1339,6 +1339,7 @@ static void update_bcn_wps_ie(struct adapter *padapter)
pnetwork->IELength = wps_offset + (wps_ielen+2) +
remainder_ielen;
}
+exit:
kfree(pbackup_remainder_ie);
}
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
On Thu, 1 May 2014 14:22:17 +0200, Mateusz Guzik wrote:
> On Thu, May 01, 2014 at 01:57:27PM +0200, Christian Engelmayer wrote:
> > Fix a potential leak in the error path of function update_bcn_wps_ie().
> > Make sure that allocated memory for 'pbackup_remainder_ie' is freed
> > upon return. Detected by Coverity - CID 1077718.
> >
>
> if (remainder_ielen > 0) {
> pbackup_remainder_ie = kmalloc(remainder_ielen, GFP_ATOMIC);
> if (pbackup_remainder_ie)
> memcpy(pbackup_remainder_ie, premainder_ie,
>remainder_ielen);
> }
>
> pwps_ie_src = pmlmepriv->wps_beacon_ie;
> if (pwps_ie_src == NULL)
> return;
>
>
> Maybe just check pwps_ie_src earlier?
>
You are right, I see no reason why this cannot be done early in the function.
diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c
b/drivers/staging/rtl8723au/core/rtw_ap.c
index 9b31412..da028c535 100644
--- a/drivers/staging/rtl8723au/core/rtw_ap.c
+++ b/drivers/staging/rtl8723au/core/rtw_ap.c
@@ -1256,6 +1256,10 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
DBG_8723A("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie23a(ie+_FIXED_IE_LENGTH_,
ielen-_FIXED_IE_LENGTH_, NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1274,10 +1278,6 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ)
{
Regards,
Christian
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v2: Added change suggested by Mateusz Guzik for the rtl8723au variant:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..85fda61 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1306,6 +1306,10 @@ static void update_bcn_wps_ie(struct adapter *padapter)
DBG_88E("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie(ie+_FIXED_IE_LENGTH_, ielen-_FIXED_IE_LENGTH_,
NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1323,10 +1327,6 @@ static void update_bcn_wps_ie(struct adapter *padapter)
memcpy(pbackup_remainder_ie, premainder_ie,
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
memcpy(pwps_ie, pwps_ie_src, wps_ielen+2);
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8712: fix potential leaks in r8712_set_key()
Fix potential leaks in the error paths of r8712_set_key(). In case the
algorithm specific checks fail, the function returns without enqueuing
or freeing the already allocated command and parameter structs. Use a
centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 144370, 144371.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_mlme.c | 28
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c
b/drivers/staging/rtl8712/rtl871x_mlme.c
index 3ea99ae..23fd8c1 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1243,14 +1243,15 @@ sint r8712_set_key(struct _adapter *adapter,
struct cmd_obj *pcmd;
struct setkey_parm *psetkeyparm;
u8 keylen;
+ sint ret = _SUCCESS;
pcmd = (struct cmd_obj *)_malloc(sizeof(struct cmd_obj));
if (pcmd == NULL)
return _FAIL;
psetkeyparm = (struct setkey_parm *)_malloc(sizeof(struct setkey_parm));
if (psetkeyparm == NULL) {
- kfree((unsigned char *)pcmd);
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_cmd;
}
memset(psetkeyparm, 0, sizeof(struct setkey_parm));
if (psecuritypriv->AuthAlgrthm == 2) { /* 802.1X */
@@ -1274,23 +1275,28 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
default:
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1299,7 +1305,13 @@ sint r8712_set_key(struct _adapter *adapter,
pcmd->rspsz = 0;
_init_listhead(&pcmd->list);
r8712_enqueue_cmd(pcmdpriv, pcmd);
- return _SUCCESS;
+ return ret;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
+ return ret;
}
/* adjust IEs for r8712_joinbss_cmd in WMM */
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8723au: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v2: Added change suggested by Mateusz Guzik:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/core/rtw_ap.c
b/drivers/staging/rtl8723au/core/rtw_ap.c
index 9b31412..da028c535 100644
--- a/drivers/staging/rtl8723au/core/rtw_ap.c
+++ b/drivers/staging/rtl8723au/core/rtw_ap.c
@@ -1256,6 +1256,10 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
DBG_8723A("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie23a(ie+_FIXED_IE_LENGTH_,
ielen-_FIXED_IE_LENGTH_, NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1274,10 +1278,6 @@ static void update_bcn_wps_ie(struct rtw_adapter
*padapter)
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen)<= MAX_IE_SZ)
{
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: vt6656: fix potential leak in vt6656_hostap_ioctl()
Commit fb841d67 (staging: vt6656: don't leak 'param' in vt6656_hostap_ioctl() when returning -EOPNOTSUPP) cleaned up direct returns in the ioctl switch statement that leaked already allocated memory. Fix the same issue for VIAWGET_HOSTAPD_SCAN_REQ and VIAWGET_HOSTAPD_MLME that are also not supported by this driver. Detected by Coverity - CID 144381. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/vt6656/hostap.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c index 67ba48b..a0d9fff 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -742,7 +742,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_MLME: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_MLME \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT \n"); @@ -751,7 +752,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_SCAN_REQ: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SCAN_REQ \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_STA_CLEAR_STATS: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_STA_CLEAR_STATS \n"); -- 1.9.1 signature.asc Description: PGP signature ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: Found some errors and other oddities, largely by means of a static code analysis program
On Sat, 3 May 2014 23:06:50 +0300, Dan Carpenter
wrote:
> Many of my other comments apply.
>
> > diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > index 23d539d..1d4475d 100644
> > --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > max_rate *= 2; /* Mbps/2 */
> > @@ -1822,6 +1814,7 @@ static int r871x_wx_set_enc_ext(struct net_device
> > *dev,
> > alg_name = "CCMP";
> > break;
> > default:
> > + kfree(param);
> > return -EINVAL;
>
> Good. But this belongs in a separate patch.
>
There's a patch proposal from 2014-05-01 this week that addresses this issue,
see "[PATCH] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()"
> > }
> > strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
> > diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c
> > b/drivers/staging/rtl8712/rtl871x_mlme.c
> > index 3ea99ae..f126763 100644
> > --- a/drivers/staging/rtl8712/rtl871x_mlme.c
> > +++ b/drivers/staging/rtl8712/rtl871x_mlme.c
> > @@ -1274,22 +1274,30 @@ sint r8712_set_key(struct _adapter *adapter,
> > psecuritypriv->DefKey[keyid].skey, keylen);
> > break;
> > case _TKIP_:
> > - if (keyid < 1 || keyid > 2)
> > + if (keyid < 1 || keyid > 2) {
> > + kfree((unsigned char *)pcmd);
> > + kfree((unsigned char *)psetkeyparm);
> > return _FAIL;
>
> The cast is wrong and anyway it's not needed. This should be:
>
> ret = _FAIL;
> goto err_free_keyparm;
>
same here, see "[PATCH] staging: rtl8712: fix potential leaks in
r8712_set_key()".
Regards,
Christian
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: binder: fix usage of uninit scalar in binder_transaction()
Fix the error path when a cookie mismatch is detected. In that case the function jumps to the exit label without setting the uninitialized, local variable 'return_error'. Detected by Coverity - CID 201453. Signed-off-by: Christian Engelmayer --- Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 1f5e249..ca1b0e3 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1529,6 +1529,7 @@ static void binder_transaction(struct binder_proc *proc, proc->pid, thread->pid, (u64)fp->binder, node->debug_id, (u64)fp->cookie, (u64)node->cookie); + return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } ref = binder_get_ref_for_node(target_proc, node); -- 1.9.1 signature.asc Description: PGP signature ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach()
This driver supports the PCI-20001C-1a and PCI-20001C-2a carrier boards.
The -2a version has 32 on-board DIO channels. In case this variant is
detected, local variable 'has_dio' is set accordingly. Otherwise it is
left uninitialized and the following subdevice instantiation depends on
the stack. Detected by Coverity - CID 1077830.
Signed-off-by: Christian Engelmayer
---
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/ii_pci20kc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/comedi/drivers/ii_pci20kc.c
b/drivers/staging/comedi/drivers/ii_pci20kc.c
index 3558ab3..2516ce8 100644
--- a/drivers/staging/comedi/drivers/ii_pci20kc.c
+++ b/drivers/staging/comedi/drivers/ii_pci20kc.c
@@ -461,6 +461,7 @@ static int ii20k_attach(struct comedi_device *dev,
id = readb(devpriv->ioaddr + II20K_ID_REG);
switch (id & II20K_ID_MASK) {
case II20K_ID_PCI20001C_1A:
+ has_dio = false;
break;
case II20K_ID_PCI20001C_2A:
has_dio = true;
--
1.9.1
signature.asc
Description: PGP signature
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8712: fix potential leaks in r8712_set_key()
On Sat, 3 May 2014 20:27:35 -0400, Greg KH wrote: > On Thu, May 01, 2014 at 11:54:02PM +0200, Christian Engelmayer wrote: > > Fix potential leaks in the error paths of r8712_set_key(). In case the > > algorithm specific checks fail, the function returns without enqueuing > > or freeing the already allocated command and parameter structs. Use a > > centralized exit path and make sure that all memory is freed correctly. > > Detected by Coverity - CID 144370, 144371. > > > > Signed-off-by: Christian Engelmayer > > --- > > Compile tested and applies against branch staging-next of tree > > git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git > > This doesn't apply either, and neither does one of your other patches, > what is going on? Greg, I am sorry that last weeks set of staging patches had problems. It is not my intention to waste Your time. I could reproduce the issue by running git am on my patches as received back from the mailing list. Most of the set failed as the mails were split incorrectly. I started rebasing the patches to the current staging-next and fixed my mail agents settings to generate no multipart, 7bit text/plain us-ascii. Thus the same set sent to myself applies now to a fresh clone of Your tree. git checkout -b integration-test origin/staging-next Branch integration-test set up to track remote branch staging-next from origin. Switched to a new branch 'integration-test' git am ./staging.mbox Applying: staging: binder: fix usage of uninit scalar in binder_transaction() Applying: staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach() Applying: staging: rtl8188eu: fix potential leak in rtw_set_key() Applying: staging: rtl8188eu: fix potential leak in rtw_wx_read32() Applying: staging: rtl8188eu: fix potential leak in update_bcn_wps_ie() Applying: staging: rtl8712: fix potential leaks in r8712_set_key() Applying: staging: rtl8723au: Remove unused pointer in rtw_wdev_free() Applying: staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext() Applying: staging: silicom: Remove needless calls of get_status_port_fn() Applying: staging: silicom: Remove unused pointer in bypass_init_module() Applying: staging: vt6656: fix potential leak in vt6656_hostap_ioctl() Applying: staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() Applying: staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() > Can you just refresh all of the outstanding patches you have sent me > that I have not applied and resend them? Of course. In case there are no objections or further hints, I will check the refreshed patches later this week when I have got a bit more time and will resend them. Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8723au: Remove unused pointer in rtw_wdev_free()
Pointer 'pwdev_priv' in function rtw_wdev_free() is unused - thus remove it.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c | 4
1 file changed, 4 deletions(-)
diff --git a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
index ca100dc..be89741 100644
--- a/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723au/os_dep/ioctl_cfg80211.c
@@ -3576,15 +3576,11 @@ exit:
void rtw_wdev_free(struct wireless_dev *wdev)
{
- struct rtw_wdev_priv *pwdev_priv;
-
DBG_8723A("%s(wdev =%p)\n", __func__, wdev);
if (!wdev)
return;
- pwdev_priv = wdev_to_priv(wdev);
-
kfree(wdev->wiphy->bands[IEEE80211_BAND_2GHZ]);
kfree(wdev->wiphy->bands[IEEE80211_BAND_5GHZ]);
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 3/5] staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv()
Function rtw_mp_QueryDrv() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077713.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 1bd476d..8b1579b 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7350,12 +7350,15 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 qAutoLoad = 1;
struct eeprom_priv *pEEPROM = GET_EEPROM_EFUSE_PRIV(padapter);
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */
@@ -7369,8 +7372,10 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
sprintf(extra, "ok");
}
wrqu->data.length = strlen(extra) + 1;
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_set(struct net_device *dev,
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: silicom: Remove needless calls of get_status_port_fn()
Remove a needless pointer initialisation and call to get_status_port_fn()
in functions remove_bypass_tpl_auto() and set_tpl_fn(). Variable
'pbpctl_dev_b' is set correctly later in the function before first use.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..bbc183f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -4735,10 +4735,9 @@ static void bp_tpl_timer_fn(unsigned long param)
static void remove_bypass_tpl_auto(struct bpctl_dev *pbpctl_dev)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
if (pbpctl_dev->bp_caps & TPL_CAP) {
del_timer_sync(&pbpctl_dev->bp_tpl_timer);
@@ -4785,12 +4784,10 @@ static int set_bypass_tpl_auto(struct bpctl_dev
*pbpctl_dev, unsigned int param)
static int set_tpl_fn(struct bpctl_dev *pbpctl_dev, int tpl_mode)
{
- struct bpctl_dev *pbpctl_dev_b = NULL;
+ struct bpctl_dev *pbpctl_dev_b;
if (!pbpctl_dev)
return -1;
- pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
-
if (pbpctl_dev->bp_caps & TPL_CAP) {
if (tpl_mode) {
pbpctl_dev_b = get_status_port_fn(pbpctl_dev);
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 0/5] staging: rtl8188eu: fix Coverity defects in os_dep/ioctl_linux.c
This is a cleanup of staging/rtl8188eu/os_dep/ioctl_linux.c regarding Coverity resource leak findings. The changes leave the current implementation intact and just attack the problems in the error paths, however, it seems that we could get easily rid of some of the mallocs altogether. char *input = kmalloc(wrqu->data.length, GFP_KERNEL); copy_from_user(input, wrqu->data.pointer, wrqu->data.length); qAutoLoad = strncmp(input, "autoload", 8); v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii The series is compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (5): staging: rtl8188eu: fix potential leak in rtw_wx_read32() staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext() staging: rtl8188eu: fix potential leak in rtw_mp_QueryDrv() staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath() staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk() drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 69 +- 1 file changed, 45 insertions(+), 24 deletions(-) -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 5/5] staging: rtl8188eu: fix potential leak in rtw_mp_pwrtrk()
Function rtw_mp_pwrtrk() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - 1077715.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 28 --
1 file changed, 17 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index ea5e1f8..f04aaa3 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7119,15 +7119,15 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
{
u8 enable;
u32 thermal;
- s32 ret;
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->length, GFP_KERNEL);
+ int ret = 0;
if (!input)
return -ENOMEM;
if (copy_from_user(input, wrqu->pointer, wrqu->length)) {
- kfree(input);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
_rtw_memset(extra, 0, wrqu->length);
@@ -7138,22 +7138,28 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
sprintf(extra, "mp tx power tracking stop");
} else if (sscanf(input, "ther =%d", &thermal)) {
ret = Hal_SetThermalMeter(padapter,
(u8)thermal);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
sprintf(extra, "mp tx power tracking start,
target value =%d ok ", thermal);
} else {
- kfree(input);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
- kfree(input);
ret = Hal_SetPowerTracking(padapter, enable);
- if (ret == _FAIL)
- return -EPERM;
+ if (ret == _FAIL) {
+ ret = -EPERM;
+ goto exit;
+ }
wrqu->length = strlen(extra);
- return 0;
+
+exit:
+ kfree(input);
+ return ret;
}
static int rtw_mp_psd(struct net_device *dev,
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: comedi: ii_pci20kc: fix usage of uninit scalar in ii20k_attach()
This driver supports the PCI-20001C-1a and PCI-20001C-2a carrier boards.
The -2a version has 32 on-board DIO channels. In case this variant is
detected, local variable 'has_dio' is set accordingly. Otherwise it is
left uninitialized and the following subdevice instantiation depends on
the stack. Detected by Coverity - CID 1077830.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/comedi/drivers/ii_pci20kc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/staging/comedi/drivers/ii_pci20kc.c
b/drivers/staging/comedi/drivers/ii_pci20kc.c
index 3558ab3..2516ce8 100644
--- a/drivers/staging/comedi/drivers/ii_pci20kc.c
+++ b/drivers/staging/comedi/drivers/ii_pci20kc.c
@@ -461,6 +461,7 @@ static int ii20k_attach(struct comedi_device *dev,
id = readb(devpriv->ioaddr + II20K_ID_REG);
switch (id & II20K_ID_MASK) {
case II20K_ID_PCI20001C_1A:
+ has_dio = false;
break;
case II20K_ID_PCI20001C_2A:
has_dio = true;
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 4/5] staging: rtl8188eu: fix potential leak in rtw_mp_SetRFPath()
Function rtw_mp_SetRFPath() dynamically allocates a temporary buffer that
is not freed in all error paths. Use a centralized exit path and make sure
that all memory is freed correctly. Detected by Coverity - CID 1077714.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index 8b1579b..ea5e1f8 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -7321,11 +7321,14 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
struct adapter *padapter = rtw_netdev_priv(dev);
char*input = kmalloc(wrqu->data.length, GFP_KERNEL);
u8 bMain = 1, bTurnoff = 1;
+ int ret = 0;
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ ret = -EFAULT;
+ goto exit;
+ }
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
bMain = strncmp(input, "1", 2); /* strncmp true is 0 */
@@ -7338,8 +7341,10 @@ static int rtw_mp_SetRFPath(struct net_device *dev,
MP_PHY_SetRFPathSwitch(padapter, false);
DBG_88E("%s:PHY_SetRFPathSwitch = false\n", __func__);
}
+
+exit:
kfree(input);
- return 0;
+ return ret;
}
static int rtw_mp_QueryDrv(struct net_device *dev,
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8712: fix potential leaks in r8712_set_key()
Fix potential leaks in the error paths of r8712_set_key(). In case the
algorithm specific checks fail, the function returns without enqueuing
or freeing the already allocated command and parameter structs. Use a
centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 144370, 144371.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_mlme.c | 28
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_mlme.c
b/drivers/staging/rtl8712/rtl871x_mlme.c
index 3ea99ae..23fd8c1 100644
--- a/drivers/staging/rtl8712/rtl871x_mlme.c
+++ b/drivers/staging/rtl8712/rtl871x_mlme.c
@@ -1243,14 +1243,15 @@ sint r8712_set_key(struct _adapter *adapter,
struct cmd_obj *pcmd;
struct setkey_parm *psetkeyparm;
u8 keylen;
+ sint ret = _SUCCESS;
pcmd = (struct cmd_obj *)_malloc(sizeof(struct cmd_obj));
if (pcmd == NULL)
return _FAIL;
psetkeyparm = (struct setkey_parm *)_malloc(sizeof(struct setkey_parm));
if (psetkeyparm == NULL) {
- kfree((unsigned char *)pcmd);
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_cmd;
}
memset(psetkeyparm, 0, sizeof(struct setkey_parm));
if (psecuritypriv->AuthAlgrthm == 2) { /* 802.1X */
@@ -1274,23 +1275,28 @@ sint r8712_set_key(struct _adapter *adapter,
psecuritypriv->DefKey[keyid].skey, keylen);
break;
case _TKIP_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
case _AES_:
- if (keyid < 1 || keyid > 2)
- return _FAIL;
+ if (keyid < 1 || keyid > 2) {
+ ret = _FAIL;
+ goto err_free_parm;
+ }
keylen = 16;
memcpy(psetkeyparm->key,
&psecuritypriv->XGrpKey[keyid - 1], keylen);
psetkeyparm->grpkey = 1;
break;
default:
- return _FAIL;
+ ret = _FAIL;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1299,7 +1305,13 @@ sint r8712_set_key(struct _adapter *adapter,
pcmd->rspsz = 0;
_init_listhead(&pcmd->list);
r8712_enqueue_cmd(pcmdpriv, pcmd);
- return _SUCCESS;
+ return ret;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
+ return ret;
}
/* adjust IEs for r8712_joinbss_cmd in WMM */
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()
Fix a potential leak in the error path of r871x_wx_set_enc_ext(). In case the
requested algorithm is not supported by the driver, the function returns
without freeing the already allocated 'param' struct. Move the input
verification to the beginning of the function so that the direct return is
safe. Detected by Coverity - CID 144373.
Signed-off-by: Christian Engelmayer
---
v2: Resend after v1 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8712/rtl871x_ioctl_linux.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
index 23d539d..1eca992 100644
--- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
+++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
@@ -1801,13 +1801,6 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
u32 param_len;
int ret = 0;
- param_len = sizeof(struct ieee_param) + pext->key_len;
- param = (struct ieee_param *)_malloc(param_len);
- if (param == NULL)
- return -ENOMEM;
- memset(param, 0, param_len);
- param->cmd = IEEE_CMD_SET_ENCRYPTION;
- memset(param->sta_addr, 0xff, ETH_ALEN);
switch (pext->alg) {
case IW_ENCODE_ALG_NONE:
alg_name = "none";
@@ -1824,6 +1817,15 @@ static int r871x_wx_set_enc_ext(struct net_device *dev,
default:
return -EINVAL;
}
+
+ param_len = sizeof(struct ieee_param) + pext->key_len;
+ param = (struct ieee_param *)_malloc(param_len);
+ if (param == NULL)
+ return -ENOMEM;
+ memset(param, 0, param_len);
+ param->cmd = IEEE_CMD_SET_ENCRYPTION;
+ memset(param->sta_addr, 0xff, ETH_ALEN);
+
strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
if (pext->ext_flags & IW_ENCODE_EXT_GROUP_KEY)
param->u.crypt.set_tx = 0;
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v3] staging: rtl8188eu: fix potential leak in rtw_set_key()
Fix a potential leak in the error path of rtw_set_key(). In case the requested
algorithm is not supported by the driver, the function returns without
enqueuing or freeing the already allocated command and parameter structs. Use
a centralized exit path and make sure that all memory is freed correctly.
Detected by Coverity - CID 1077716, 1077717.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added changes requested by Dan Carpenter:
* Just return directly where no cleanup is needed.
* Prefer naming labels by the labeled action rather than the goto location.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_mlme.c | 19 +++
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_mlme.c
b/drivers/staging/rtl8188eu/core/rtw_mlme.c
index 769d4dd..155282e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
+++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
@@ -1727,15 +1727,13 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
int res = _SUCCESS;
pcmd = (struct cmd_obj *)rtw_zmalloc(sizeof(struct cmd_obj));
- if (pcmd == NULL) {
- res = _FAIL; /* try again */
- goto exit;
- }
+ if (pcmd == NULL)
+ return _FAIL; /* try again */
+
psetkeyparm = (struct setkey_parm *)rtw_zmalloc(sizeof(struct
setkey_parm));
if (psetkeyparm == NULL) {
- kfree(pcmd);
res = _FAIL;
- goto exit;
+ goto err_free_cmd;
}
_rtw_memset(psetkeyparm, 0, sizeof(struct setkey_parm));
@@ -1784,7 +1782,7 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
("\n rtw_set_key:psecuritypriv->dot11PrivacyAlgrthm=%x
(must be 1 or 2 or 4 or 5)\n",
psecuritypriv->dot11PrivacyAlgrthm));
res = _FAIL;
- goto exit;
+ goto err_free_parm;
}
pcmd->cmdcode = _SetKey_CMD_;
pcmd->parmbuf = (u8 *)psetkeyparm;
@@ -1793,7 +1791,12 @@ int rtw_set_key(struct adapter *adapter, struct
security_priv *psecuritypriv, in
pcmd->rspsz = 0;
_rtw_init_listhead(&pcmd->list);
res = rtw_enqueue_cmd(pcmdpriv, pcmd);
-exit:
+ return res;
+
+err_free_parm:
+ kfree(psetkeyparm);
+err_free_cmd:
+ kfree(pcmd);
return res;
}
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: binder: fix usage of uninit scalar in binder_transaction()
Fix the error path when a cookie mismatch is detected. In that case the function jumps to the exit label without setting the uninitialized, local variable 'return_error'. Detected by Coverity - CID 201453. Signed-off-by: Christian Engelmayer --- v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/android/binder.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/staging/android/binder.c b/drivers/staging/android/binder.c index 35c00ab..de8e2a3 100644 --- a/drivers/staging/android/binder.c +++ b/drivers/staging/android/binder.c @@ -1546,6 +1546,7 @@ static void binder_transaction(struct binder_proc *proc, proc->pid, thread->pid, (u64)fp->binder, node->debug_id, (u64)fp->cookie, (u64)node->cookie); + return_error = BR_FAILED_REPLY; goto err_binder_get_ref_for_node_failed; } ref = binder_get_ref_for_node(target_proc, node); -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] staging: vt6656: fix potential leak in vt6656_hostap_ioctl()
Commit fb841d67 (staging: vt6656: don't leak 'param' in vt6656_hostap_ioctl() when returning -EOPNOTSUPP) cleaned up direct returns in the ioctl switch statement that leaked already allocated memory. Fix the same issue for VIAWGET_HOSTAPD_SCAN_REQ and VIAWGET_HOSTAPD_MLME that are not supported by this driver. Detected by Coverity - CID 144381. Signed-off-by: Christian Engelmayer --- v2: Resend after v1 failed to apply * rebased against staging-next - commit 09c3fbba (staging: rtl8188eu: Remove 'u8 *pbuf' from struct recv_buf) * fixed mua: no multipart, 7bit text/plain us-ascii Compile tested and applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git --- drivers/staging/vt6656/hostap.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vt6656/hostap.c b/drivers/staging/vt6656/hostap.c index 67ba48b..a0d9fff 100644 --- a/drivers/staging/vt6656/hostap.c +++ b/drivers/staging/vt6656/hostap.c @@ -742,7 +742,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_MLME: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_MLME \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SET_GENERIC_ELEMENT \n"); @@ -751,7 +752,8 @@ int vt6656_hostap_ioctl(struct vnt_private *pDevice, struct iw_point *p) case VIAWGET_HOSTAPD_SCAN_REQ: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_SCAN_REQ \n"); - return -EOPNOTSUPP; + ret = -EOPNOTSUPP; + goto out; case VIAWGET_HOSTAPD_STA_CLEAR_STATS: DBG_PRT(MSG_LEVEL_DEBUG, KERN_INFO "VIAWGET_HOSTAPD_STA_CLEAR_STATS \n"); -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 2/5] staging: rtl8188eu: fix potential leak in rtw_wx_set_enc_ext()
Function rtw_wx_set_enc_ext() dynamically allocates a temporary buffer that is not freed in all error paths. Use a centralized exit path and make sure that all memory is freed correctly. Detected by Coverity - CID 1077712. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index 45b47e2..1bd476d 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -2097,7 +2097,8 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, alg_name = "CCMP"; break; default: - return -1; + ret = -1; + goto exit; } strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); @@ -2124,6 +2125,7 @@ static int rtw_wx_set_enc_ext(struct net_device *dev, ret = wpa_set_encryption(dev, param, param_len); +exit: kfree(param); return ret; } -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v3] staging: rtl8188eu: fix potential leak in update_bcn_wps_ie()
Fix a potential leak in the error path of function update_bcn_wps_ie().
Move the affected input verification to the beginning of the function so
that it may return directly without leaking already allocated memory.
Detected by Coverity - CID 1077718.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added change suggested by Mateusz Guzik for the rtl8723au variant:
Move the check before allocating the memory instead of freeing the
resource afterwards in the error path.
Compile tested and applies against branch staging-next of tree
git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/rtl8188eu/core/rtw_ap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_ap.c
b/drivers/staging/rtl8188eu/core/rtw_ap.c
index ff74d0d..85fda61 100644
--- a/drivers/staging/rtl8188eu/core/rtw_ap.c
+++ b/drivers/staging/rtl8188eu/core/rtw_ap.c
@@ -1306,6 +1306,10 @@ static void update_bcn_wps_ie(struct adapter *padapter)
DBG_88E("%s\n", __func__);
+ pwps_ie_src = pmlmepriv->wps_beacon_ie;
+ if (pwps_ie_src == NULL)
+ return;
+
pwps_ie = rtw_get_wps_ie(ie+_FIXED_IE_LENGTH_, ielen-_FIXED_IE_LENGTH_,
NULL, &wps_ielen);
if (pwps_ie == NULL || wps_ielen == 0)
@@ -1323,10 +1327,6 @@ static void update_bcn_wps_ie(struct adapter *padapter)
memcpy(pbackup_remainder_ie, premainder_ie,
remainder_ielen);
}
- pwps_ie_src = pmlmepriv->wps_beacon_ie;
- if (pwps_ie_src == NULL)
- return;
-
wps_ielen = (uint)pwps_ie_src[1];/* to get ie data len */
if ((wps_offset+wps_ielen+2+remainder_ielen) <= MAX_IE_SZ) {
memcpy(pwps_ie, pwps_ie_src, wps_ielen+2);
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v3] staging: silicom: Remove unused pointer in bypass_init_module()
Pointer 'pbpctl_dev_c' in function bypass_init_module() is unused. Thus remove
it. With the last variable declaration gone, there is no more need for an own
block. Remove it and adapt the indenting accordingly.
Signed-off-by: Christian Engelmayer
---
v3: Resend after v2 failed to apply
* rebased against staging-next - commit 09c3fbba (staging: rtl8188eu:
Remove 'u8 *pbuf' from struct recv_buf)
* fixed mua: no multipart, 7bit text/plain us-ascii
v2: Added changes requested by Dan Carpenter:
Dan pointed out that with the declaration gone, the indent block shall be
removed. This was intentionally left out in v1 in order to keep the
changeset more readable. However, according to the input, also with the
additional indenting change this still qualifies for one logical change.
Compile tested and applies against v3.15-rc2 as well as branch staging-next
of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git
---
drivers/staging/silicom/bpctl_mod.c | 41 +++--
1 file changed, 17 insertions(+), 24 deletions(-)
diff --git a/drivers/staging/silicom/bpctl_mod.c
b/drivers/staging/silicom/bpctl_mod.c
index 7f3d884..2fb9a6f 100644
--- a/drivers/staging/silicom/bpctl_mod.c
+++ b/drivers/staging/silicom/bpctl_mod.c
@@ -6371,33 +6371,26 @@ static int __init bypass_init_module(void)
sema_init(&bpctl_sema, 1);
spin_lock_init(&bpvm_lock);
- {
-
- struct bpctl_dev *pbpctl_dev_c = NULL;
- for (idx_dev = 0, dev = bpctl_dev_arr;
-idx_dev < device_num && dev->pdev;
-idx_dev++, dev++) {
- if (dev->bp_10g9) {
- pbpctl_dev_c = get_status_port_fn(dev);
- if (is_bypass_fn(dev)) {
- printk(KERN_INFO "%s found, ",
- dev->name);
- dev->bp_fw_ver = bypass_fw_ver(dev);
- printk("firmware version: 0x%x\n",
- dev->bp_fw_ver);
- }
- dev->wdt_status = WDT_STATUS_UNKNOWN;
- dev->reset_time = 0;
- atomic_set(&dev->wdt_busy, 0);
- dev->bp_status_un = 1;
-
- bypass_caps_init(dev);
-
- init_bypass_wd_auto(dev);
- init_bypass_tpl_auto(dev);
+ for (idx_dev = 0, dev = bpctl_dev_arr;
+idx_dev < device_num && dev->pdev;
+idx_dev++, dev++) {
+ if (dev->bp_10g9) {
+ if (is_bypass_fn(dev)) {
+ printk(KERN_INFO "%s found, ", dev->name);
+ dev->bp_fw_ver = bypass_fw_ver(dev);
+ printk("firmware version: 0x%x\n",
+ dev->bp_fw_ver);
}
+ dev->wdt_status = WDT_STATUS_UNKNOWN;
+ dev->reset_time = 0;
+ atomic_set(&dev->wdt_busy, 0);
+ dev->bp_status_un = 1;
+
+ bypass_caps_init(dev);
+ init_bypass_wd_auto(dev);
+ init_bypass_tpl_auto(dev);
}
}
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2 1/5] staging: rtl8188eu: fix potential leak in rtw_wx_read32()
Function rtw_wx_read32() dynamically allocates a temporary buffer that is not
freed in all error paths. Use a centralized exit path and make sure that all
memory is freed correctly. Detected by Coverity - CID 1077711.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
index cf30a08..45b47e2 100644
--- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c
@@ -2154,6 +2154,7 @@ static int rtw_wx_read32(struct net_device *dev,
u32 bytes;
u8 *ptmp;
int rv;
+ int ret = 0;
padapter = (struct adapter *)rtw_netdev_priv(dev);
p = &wrqu->data;
@@ -2163,16 +2164,16 @@ static int rtw_wx_read32(struct net_device *dev,
return -ENOMEM;
if (copy_from_user(ptmp, p->pointer, len)) {
- kfree(ptmp);
- return -EFAULT;
+ ret = -EFAULT;
+ goto exit;
}
bytes = 0;
addr = 0;
rv = sscanf(ptmp, "%d,%x", &bytes, &addr);
if (rv != 2) {
- kfree(ptmp);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
switch (bytes) {
@@ -2190,12 +2191,14 @@ static int rtw_wx_read32(struct net_device *dev,
break;
default:
DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n",
__func__);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr,
extra);
+exit:
kfree(ptmp);
- return 0;
+ return ret;
}
static int rtw_wx_write32(struct net_device *dev,
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
staging: dgap/dgnc maintainers list
Hi, As I got a bit queued up for dgap, I just noticed that commit 542f3d5a states to add Mark to the maintainers list for dgap, while the patch addresses the dgnc entry. Was that the intention? https://lkml.org/lkml/2014/4/25/275 Regards, Christian --- commit 542f3d5af89c15d0b4e80bbf927d252efa0e48c3 Author: Mark Hounschell Date: Fri Apr 25 14:32:15 2014 -0400 staging: dgap: Add Mark Hounschell to maintainers list for dgap Add Mark Hounschell to the MAINTAINERs list for the dgap driver Signed-off-by: Mark Hounschell Suggested-by: Dan Carpenter Cc: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman diff --git a/MAINTAINERS b/MAINTAINERS index da68679..610c982 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -2789,6 +2789,7 @@ F:sound/soc/codecs/da[79]*.[ch] DIGI NEO AND CLASSIC PCI PRODUCTS M: Lidza Louina +M: Mark Hounschell L: driverdev-devel@linuxdriverproject.org S: Maintained F: drivers/staging/dgnc/ ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: staging: dgap/dgnc maintainers list
On Fri, 16 May 2014 15:06:46 +0300, Dan Carpenter wrote: > On Fri, May 16, 2014 at 07:57:08AM -0400, Mark Hounschell wrote: > > On 05/16/2014 07:52 AM, Mark Hounschell wrote: > > > On 05/15/2014 06:49 PM, Dan Carpenter wrote: > > >> On Fri, May 16, 2014 at 12:27:01AM +0200, Christian Engelmayer wrote: > > >>> Hi, > > >>> > > >>> As I got a bit queued up for dgap, I just noticed that commit 542f3d5a > > >>> states > > >>> to add Mark to the maintainers list for dgap, while the patch addresses > > >>> the > > >>> dgnc entry. Was that the intention? > > >> > > >> No, it wasn't at all. Mark, please send a patch which moves you to the > > >> correct MAINTAINERS section. > > >> > > > > > > Sure. How did I mess that up? Hope Greg catches it. > > > > > > > Actually that patch might be OK as I have these digi NEO cards also and > > will eventually be willing to do some of the same type of work on the > > dgnc and dgdm (one greg adds it) as I've been doing on the dgap. > > Heh. That worked out nicely. :) That's very good indeed :) Also glad I waited for Your outstanding patches to be applied. Commit 077c28f (staging: dgap: Fix how we insure config data is a string) should fix two bugs that recently showed up under static analysis: The off-by-one issue for 'dgap_config_buf' under Coverity defect ID 1195252, as well as the use after free issue for 'fw' under CID 1195275. Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 2/2] staging: rtl8188eu: remove dead code in rtw_drv_init()
(status != _SUCCESS) immediately after 'status = _SUCCESS' will never evaluate true. Thus remove the logically dead code. Detected by Coverity - CID 1077553. Signed-off-by: Christian Engelmayer --- drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c b/drivers/staging/rtl8188eu/os_dep/usb_intf.c index 632a5b0a..2a96add 100644 --- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c +++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c @@ -713,8 +713,6 @@ static int rtw_drv_init(struct usb_interface *pusb_intf, const struct usb_device status = _SUCCESS; - if (status != _SUCCESS && if1) - rtw_usb_if1_deinit(if1); free_dvobj: if (status != _SUCCESS) usb_dvobj_deinit(pusb_intf); -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 0/2] staging: rtl8188eu: fix Coverity defects in rtw_drv_init()
This addresses two issues currently reported by static analysis for function rtw_drv_init() in drivers/staging/rtl8188eu/os_dep/usb_intf.c. CID 1077553 - Logically dead code CID 1077832 - Uninitialized scalar variable Compile tested only. Applies against branch staging-next of tree git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git Christian Engelmayer (2): staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init() staging: rtl8188eu: remove dead code in rtw_drv_init() drivers/staging/rtl8188eu/os_dep/usb_intf.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) -- 1.9.1 ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH 1/2] staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init()
Function rtw_drv_init() is written in a way that assumes 'status' != _SUCCESS
as long as not explicitly set. Thus initialize 'status' to FAIL, in order to
prevent undefined behaviour if going through the exit paths. Detected by
Coverity - CID 1077832.
Signed-off-by: Christian Engelmayer
---
drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
index 8ed2ac8..632a5b0a 100644
--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
@@ -685,7 +685,7 @@ static void rtw_usb_if1_deinit(struct adapter *if1)
static int rtw_drv_init(struct usb_interface *pusb_intf, const struct
usb_device_id *pdid)
{
struct adapter *if1 = NULL;
- int status;
+ int status = _FAIL;
struct dvobj_priv *dvobj;
RT_TRACE(_module_hci_intfs_c_, _drv_err_, ("+rtw_drv_init\n"));
--
1.9.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH 1/2] staging: rtl8188eu: fix usage of uninit scalar in rtw_drv_init()
On Sat, 17 May 2014 17:44:23 +0300, Dan Carpenter wrote: > On Sat, May 17, 2014 at 12:38:57PM +0200, Christian Engelmayer wrote: > > Function rtw_drv_init() is written in a way that assumes 'status' != > > _SUCCESS > > as long as not explicitly set. Thus initialize 'status' to FAIL, in order to > > prevent undefined behaviour if going through the exit paths. Detected by > > Coverity - CID 1077832. > > > > Signed-off-by: Christian Engelmayer > > This is a bugfix and we like to merge bugfixes without asking redo > things, so don't redo. But really the better fix is to get rid of the > status variable completely. Just return directly on the success path. > > If we were to do that, then both patches would be merged together and > called: [patch] Staging: rtl8188eu: fix error handling in rtw_drv_init() > > But this patch is also acceptable as-is. Thanks for fixing the bug. :) I agree with You Dan. I'm no big fan of that status variable either. In this case I was already tempted, but saw it as a recurring pattern in that file in case cleanup is done. So I decided to just attack the bug in a small change and leave the cleanup of the error handling pattern for a later, consistent sweep over the whole file if that's wanted. Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH 2/2] staging: vt6656: fix leaks in error path
On Fri, 30 May 2014 20:47:44 +0200, Nicolas Thery wrote: > Fix memory leaks in ioctl error handling paths. > > Signed-off-by: Nicolas Thery > --- > drivers/staging/vt6656/hostap.c | 6 -- > 1 file changed, 4 insertions(+), 2 deletions(-) This doesn't apply against staging-next. The changeset itself seems to be identical to commit 721b79d1 (staging: vt6656: fix potential leak in vt6656_hostap_ioctl()) - https://lkml.org/lkml/2014/5/7/833 The affected file has been remove later in commit a30d534b (staging: vt6656: Remove dead code hostap.) - http://www.spinics.net/lists/linux-wireless/msg122509.html Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8712: rtl871x_mlme.c: Cleaning up memory leak
On Sun, 1 Jun 2014 13:32:20 +0200, Rickard Strandqvist wrote: > There is a risk for memory leak in when something unexpected happens > and the function returns. > > This was largely found by using a static code analysis program called > cppcheck. > > Signed-off-by: Rickard Strandqvist This doesn't apply against staging-next. This fix seems to attack the same problem as existing commit 2af9e74 (staging: rtl8712: fix potential leaks in r8712_set_key()) - http://www.spinics.net/lists/linux-driver-devel/msg46501.html I think we talked about that already - see http://www.spinics.net/lists/linux-driver-devel/msg46294.html Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8712: rtl871x_ioctl_linux.c: Cleaning up memory leak
On Sun, 1 Jun 2014 13:30:43 +0200, Rickard Strandqvist wrote: > There is a risk for memory leak in when something unexpected happens > and the function returns. > > This was largely found by using a static code analysis program called > cppcheck. > > Signed-off-by: Rickard Strandqvist > --- > drivers/staging/rtl8712/rtl871x_ioctl_linux.c |1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > index 23d539d..27e0243 100644 > --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c > @@ -1822,6 +1822,7 @@ static int r871x_wx_set_enc_ext(struct net_device *dev, > alg_name = "CCMP"; > break; > default: > + kfree(param); > return -EINVAL; > } > strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN); Hi Rickard, This one doesn't apply either. Commit 55d4f6cc (staging: rtl8712: fix potential leak in r871x_wx_set_enc_ext()) moved the input verification to the beginning of the function so that the direct return no longer hurt. This change was also already in flight at the time of Your first version of the patch in May. Please check that Your patches are based on linux-next. Best Regards, Christian ___ devel mailing list de...@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
