rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
Seven years ago we tried to fix a leak but actually introduced a double
free instead. It was an understandable mistake because the code was a
bit confusing and the free was done in the wrong place. The "skb"
pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
and I've cleaned the code up a bit to hopefully make it more clear.
Fixes: 36ef0b473f
("rtlwifi: usb: add missing freeing of skbuff")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda
alistair/sunxi64-5.8
parent
eda31200e6
commit
beb12813bc
|
@ -881,10 +881,8 @@ static struct urb *_rtl_usb_tx_urb_setup(struct ieee80211_hw *hw,
|
|||
|
||||
WARN_ON(NULL == skb);
|
||||
_urb = usb_alloc_urb(0, GFP_ATOMIC);
|
||||
if (!_urb) {
|
||||
kfree_skb(skb);
|
||||
if (!_urb)
|
||||
return NULL;
|
||||
}
|
||||
_rtl_install_trx_info(rtlusb, skb, ep_num);
|
||||
usb_fill_bulk_urb(_urb, rtlusb->udev, usb_sndbulkpipe(rtlusb->udev,
|
||||
ep_num), skb->data, skb->len, _rtl_tx_complete, skb);
|
||||
|
@ -898,7 +896,6 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
|
|||
struct rtl_usb *rtlusb = rtl_usbdev(rtl_usbpriv(hw));
|
||||
u32 ep_num;
|
||||
struct urb *_urb = NULL;
|
||||
struct sk_buff *_skb = NULL;
|
||||
|
||||
WARN_ON(NULL == rtlusb->usb_tx_aggregate_hdl);
|
||||
if (unlikely(IS_USB_STOP(rtlusb))) {
|
||||
|
@ -907,8 +904,7 @@ static void _rtl_usb_transmit(struct ieee80211_hw *hw, struct sk_buff *skb,
|
|||
return;
|
||||
}
|
||||
ep_num = rtlusb->ep_map.ep_mapping[qnum];
|
||||
_skb = skb;
|
||||
_urb = _rtl_usb_tx_urb_setup(hw, _skb, ep_num);
|
||||
_urb = _rtl_usb_tx_urb_setup(hw, skb, ep_num);
|
||||
if (unlikely(!_urb)) {
|
||||
pr_err("Can't allocate urb. Drop skb!\n");
|
||||
kfree_skb(skb);
|
||||
|
|
Loading…
Reference in New Issue