In the implementation of uld_send(), the skb is consumed on all
execution paths except one. Release skb when returning NET_XMIT_DROP.
Signed-off-by: Navid Emamdoost
---
v3:
- fixed the base problem, and used kfree_skb
---
drivers/net/ethernet/chelsio/cxgb4/sge.c | 1 +
1 file changed, 1
In the implementation of uld_send(), the skb is consumed on all
execution paths except one. Release skb when returning NET_XMIT_DROP.
Signed-off-by: Navid Emamdoost
---
changes in v2:
- using kfree_skb() based on David Miller suggestion.
---
drivers/net/ethernet/chelsio/cxgb4/sge.c | 2
In the implementation of __mt76x02u_mcu_send_msg() the skb is consumed
all execution paths except one. Release skb before returning if
test_bit() fails.
Signed-off-by: Navid Emamdoost
---
drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c | 7 +--
1 file changed, 5 insertions(+), 2
The implementation of s3fwrn5_recv_frame() is supposed to consume skb on
all execution paths. Release skb before returning -ENODEV.
Signed-off-by: Navid Emamdoost
---
drivers/nfc/s3fwrn5/core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nfc/s3fwrn5/core.c b/drivers/nfc/s3fwrn5
In the implementation of mt7601u_mcu_msg_send(), skb is supposed to be
consumed on all execution paths. Release skb before returning if
test_bit() fails.
Signed-off-by: Navid Emamdoost
---
drivers/net/wireless/mediatek/mt7601u/mcu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff
In the implementation of uld_send(), the skb is consumed on all
execution paths except one. Release skb when returning NET_XMIT_DROP.
Signed-off-by: Navid Emamdoost
---
drivers/net/ethernet/chelsio/cxgb4/sge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/chelsio
in macb_mdio_write, macb_mdio_read, and at91ether_open,
pm_runtime_get_sync is called which increments the counter even in case of
failure, leading to incorrect ref count.
In case of failure, decrement the ref count before returning.
Signed-off-by: Navid Emamdoost
---
drivers/net/ethernet
in fec_enet_mdio_read, fec_enet_mdio_write, fec_enet_get_regs,
fec_enet_open and fec_drv_remove, pm_runtime_get_sync is called which
increments the counter even in case of failure, leading to incorrect
ref count. In case of failure, decrement the ref count before returning.
Signed-off-by: Navid
Calling pm_runtime_get_sync increments the counter even in case of
failure, causing incorrect ref count. Call pm_runtime_put if
pm_runtime_get_sync fails.
Signed-off-by: Navid Emamdoost
---
drivers/net/can/xilinx_can.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a
Calling pm_runtime_get_sync increments the counter even in case of
failure, causing incorrect ref count. Call pm_runtime_put if
pm_runtime_get_sync fails.
Signed-off-by: Navid Emamdoost
---
drivers/net/wireless/ti/wlcore/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff
Hi Brian,
On Tue, May 12, 2020 at 11:57 AM Brian Norris wrote:
>
> On Fri, Sep 6, 2019 at 11:59 AM Navid Emamdoost
> wrote:
> >
> > In ath9k_wmi_cmd, the allocated network buffer needs to be released
> > if timeout happens. Otherwise memory will be leaked.
> >
&
Hi,
I was wondering if a race condition in net/tls/tls_main.c may lead to
a UAF or not?
The scenario can be like this:
1) device is initialized and registered via chtls_register_dev()
2) while tls_hw_hash() is executed in one thread, the device gets
detached (CPU2), and another thread tries to ac
In ath10k_usb_hif_tx_sg the allocated urb should be released if
usb_submit_urb fails.
Signed-off-by: Navid Emamdoost
---
drivers/net/wireless/ath/ath10k/usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath10k/usb.c
b/drivers/net/wireless/ath/ath10k/usb.c
index
13 matches
Mail list logo
