lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20131211155249.GD7411@tuxdriver.com>
Date:	Wed, 11 Dec 2013 10:52:50 -0500
From:	"John W. Linville" <linville@...driver.com>
To:	Michal Nazarewicz <mina86@...a86.com>
Cc:	Eugene Krasnikov <k.eugene.e@...il.com>,
	Peter Stuge <peter@...ge.se>,
	ath9k-devel <ath9k-devel@...ema.h4ckr.net>,
	linux-wireless <linux-wireless@...r.kernel.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] net: wirelesse: wcn36xx: check allocation and trim
 critical section

Missing Signed-off-by...

On Mon, Dec 09, 2013 at 12:34:04PM +0100, Michal Nazarewicz wrote:
> Commit [3469adb3: fix potential NULL pointer dereference] introduced
> a check of msg_ind allocation, but omitted allocation of msg_ind->msg.
> Moreover, it introduced two if statements, which looked a bit clunky.
> 
> This commit moves allocation code outside of the critical section so
> there's no need to dance around mutex_unlock, and adds the missing
> allocation check.
> 
> ---
>  drivers/net/wireless/ath/wcn36xx/smd.c | 32 +++++++++++++++++++-------------
>  1 file changed, 19 insertions(+), 13 deletions(-)
> 
> On Mon, Dec 09 2013, Eugene Krasnikov wrote:
> > hal_ind_mutex suppose to protect msg_ind but with this patch
> > allocation will be done outside the critical section.
> 
> msg_ind is a local variable which is not shared outside of the function
> until it's added to a list.  I don't see how it matters if it's
> allocation and initialisation is done under mutex.
> 
> In fact, there's another kmalloc call that should be checked and can be
> done outside of the critical section, so disregard my previous patch,
> here's a new one.
> 
> diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c
> index 823631c..713e3ce 100644
> --- a/drivers/net/wireless/ath/wcn36xx/smd.c
> +++ b/drivers/net/wireless/ath/wcn36xx/smd.c
> @@ -2056,22 +2056,28 @@ static void wcn36xx_smd_rsp_process(struct wcn36xx *wcn, void *buf, size_t len)
>  	case WCN36XX_HAL_OTA_TX_COMPL_IND:
>  	case WCN36XX_HAL_MISSED_BEACON_IND:
>  	case WCN36XX_HAL_DELETE_STA_CONTEXT_IND:
> -		mutex_lock(&wcn->hal_ind_mutex);
>  		msg_ind = kmalloc(sizeof(*msg_ind), GFP_KERNEL);
> -		if (msg_ind) {
> -			msg_ind->msg_len = len;
> -			msg_ind->msg = kmalloc(len, GFP_KERNEL);
> -			memcpy(msg_ind->msg, buf, len);
> -			list_add_tail(&msg_ind->list, &wcn->hal_ind_queue);
> -			queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work);
> -			wcn36xx_dbg(WCN36XX_DBG_HAL, "indication arrived\n");
> +		if (!msg_ind)
> +			goto nomem;
> +		msg_ind->msg_len = len;
> +		msg_ind->msg = kmalloc(len, GFP_KERNEL);
> +		if (!msg_ind->msg) {
> +			kfree(msg_ind);
> +nomem:
> +			/*
> +			 * FIXME: Do something smarter then just
> +			 * printing an error.
> +			 */
> +			wcn36xx_err("Run out of memory while handling SMD_EVENT (%d)\n",
> +				    msg_header->msg_type);
> +			break;
>  		}
> +		memcpy(msg_ind->msg, buf, len);
> +		mutex_lock(&wcn->hal_ind_mutex);
> +		list_add_tail(&msg_ind->list, &wcn->hal_ind_queue);
> +		queue_work(wcn->hal_ind_wq, &wcn->hal_ind_work);
>  		mutex_unlock(&wcn->hal_ind_mutex);
> -		if (msg_ind)
> -			break;
> -		/* FIXME: Do something smarter then just printing an error. */
> -		wcn36xx_err("Run out of memory while handling SMD_EVENT (%d)\n",
> -			    msg_header->msg_type);
> +		wcn36xx_dbg(WCN36XX_DBG_HAL, "indication arrived\n");
>  		break;
>  	default:
>  		wcn36xx_err("SMD_EVENT (%d) not supported\n",
> -- 
> 1.8.4
> 



-- 
John W. Linville		Someday the world will need a hero, and you
linville@...driver.com			might be all we have.  Be ready.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ