| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7sj3dofsdl2itsjll5atntvddigztn375czobtmq2ymxeezsir@5me2m2pjbgna> Date: Fri, 14 Nov 2025 14:30:23 +0530 From: Abdun Nihaal <nihaal@....iitm.ac.in> To: Ping-Ke Shih <pkshih@...ltek.com> Cc: "linux-wireless@...r.kernel.org" <linux-wireless@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] rtl818x_pci: Fix potential memory leaks in rtl8180_init_rx_ring() On Fri, Nov 14, 2025 at 07:20:05AM +0000, Ping-Ke Shih wrote: > > I'm surprised that people work on this old driver, and how did you find > this flaw? I'm building a static analysis tool for my research. This issue showed up when I ran the tool on all kernel drivers. > It seems like rtl8180_free_rx_ring() does all things you are adding, so > just goto err_free_rings? > > @@ -1130,7 +1131,7 @@ static int rtl8180_start(struct ieee80211_hw *dev) > > ret = rtl8180_init_rx_ring(dev); > if (ret) > - return ret; > + goto err_free_rings; > > for (i = 0; i < (dev->queues + 1); i++) > if ((ret = rtl8180_init_tx_ring(dev, i, 16))) Yes, calling rtl8180_free_rx_ring() is much simpler. But the error path of rtl8180_init_tx_ring() is not setting the freed object to NULL, which could lead to a double free. Moreover, I feel handling it inside the rtl8180_init_tx_ring() function itself is better, to have it allocate all or none. I'll simplify the error path of rtl8180_init_tx_ring() by calling rtl8180_free_rx_ring(), and send a v2 patch. Regards, Nihaal
Powered by blists - more mailing lists