tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()

Seven years ago we tried to fix a leak but actually introduced a double
free instead. It was an understandable mistake because the code was a
bit confusing and the free was done in the wrong place. The "skb"
pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
and I've cleaned the code up a bit to hopefully make it more clear.

Fixes: 36ef0b473fbf ("rtlwifi: usb: add missing freeing of skbuff")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda

authored by

Dan Carpenter and committed by
Kalle Valo beb12813 eda31200

+2 -6
+2 -6
drivers/net/wireless/realtek/rtlwifi/usb.c
··· 881 881 882 882 WARN_ON(NULL == skb); 883 883 _urb = usb_alloc_urb(0, GFP_ATOMIC); 884 - if (!_urb) { 885 - kfree_skb(skb); 884 + if (!_urb) 886 885 return NULL; 887 - } 888 886 _rtl_install_trx_info(rtlusb, skb, ep_num); 889 887 usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev, 890 888 ep_num), skb->data, skb->len, _rtl_tx_complete, skb); ··· 896 898 struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw)); 897 899 u32 ep_num; 898 900 struct urb *_urb = NULL; 899 - struct sk_buff *_skb = NULL; 900 901 901 902 WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl); 902 903 if (unlikely(IS_USB_STOP(rtlusb))) { ··· 904 907 return; 905 908 } 906 909 ep_num = rtlusb->ep_map.ep_mapping[qnum]; 907 - _skb = skb; 908 - _urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num); 910 + _urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num); 909 911 if (unlikely(!_urb)) { 910 912 pr_err("Can't allocate urb. Drop skb!\n"); 911 913 kfree_skb(skb);