[thirdparty/kernel/stable-queue.git] / releases / 4.4.166 / cw1200-don-t-leak-memory-if-krealloc-failes.patch

From 9afdd6128c39f42398041bb2e017d8df0dcebcd1 Mon Sep 17 00:00:00 2001
From: Johannes Thumshirn <jthumshirn@suse.de>
Date: Fri, 30 Sep 2016 14:39:17 +0200
Subject: cw1200: Don't leak memory if krealloc failes

From: Johannes Thumshirn <jthumshirn@suse.de>

commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream.

The call to krealloc() in wsm_buf_reserve() directly assigns the newly
returned memory to buf->begin. This is all fine except when krealloc()
failes we loose the ability to free the old memory pointed to by
buf->begin. If we just create a temporary variable to assign memory to
and assign the memory to it we can mitigate the memory leak.

Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/cw1200/wsm.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/net/wireless/cw1200/wsm.c
+++ b/drivers/net/wireless/cw1200/wsm.c
@@ -1805,16 +1805,18 @@ static int wsm_buf_reserve(struct wsm_bu
 {
 	size_t pos = buf->data - buf->begin;
 	size_t size = pos + extra_size;
+	u8 *tmp;
 
 	size = round_up(size, FWLOAD_BLOCK_SIZE);
 
-	buf->begin = krealloc(buf->begin, size, GFP_KERNEL | GFP_DMA);
-	if (buf->begin) {
-		buf->data = &buf->begin[pos];
-		buf->end = &buf->begin[size];
-		return 0;
-	} else {
-		buf->end = buf->data = buf->begin;
+	tmp = krealloc(buf->begin, size, GFP_KERNEL | GFP_DMA);
+	if (!tmp) {
+		wsm_buf_deinit(buf);
 		return -ENOMEM;
 	}
+
+	buf->begin = tmp;
+	buf->data = &buf->begin[pos];
+	buf->end = &buf->begin[size];
+	return 0;
 }
Commit	Line	Data
0f36e06c GKH	1	From 9afdd6128c39f42398041bb2e017d8df0dcebcd1 Mon Sep 17 00:00:00 2001
	2	From: Johannes Thumshirn <jthumshirn@suse.de>
	3	Date: Fri, 30 Sep 2016 14:39:17 +0200
	4	Subject: cw1200: Don't leak memory if krealloc failes
	5
	6	From: Johannes Thumshirn <jthumshirn@suse.de>
	7
	8	commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream.
	9
	10	The call to krealloc() in wsm_buf_reserve() directly assigns the newly
	11	returned memory to buf->begin. This is all fine except when krealloc()
	12	failes we loose the ability to free the old memory pointed to by
	13	buf->begin. If we just create a temporary variable to assign memory to
	14	and assign the memory to it we can mitigate the memory leak.
	15
	16	Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
	17	Cc: Johannes Berg <johannes@sipsolutions.net>
	18	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	19	Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	drivers/net/wireless/cw1200/wsm.c \| 16 +++++++++-------
	24	1 file changed, 9 insertions(+), 7 deletions(-)
	25
	26	--- a/drivers/net/wireless/cw1200/wsm.c
	27	+++ b/drivers/net/wireless/cw1200/wsm.c
	28	@@ -1805,16 +1805,18 @@ static int wsm_buf_reserve(struct wsm_bu
	29	{
	30	size_t pos = buf->data - buf->begin;
	31	size_t size = pos + extra_size;
	32	+ u8 *tmp;
	33
	34	size = round_up(size, FWLOAD_BLOCK_SIZE);
	35
	36	- buf->begin = krealloc(buf->begin, size, GFP_KERNEL \| GFP_DMA);
	37	- if (buf->begin) {
	38	- buf->data = &buf->begin[pos];
	39	- buf->end = &buf->begin[size];
	40	- return 0;
	41	- } else {
	42	- buf->end = buf->data = buf->begin;
	43	+ tmp = krealloc(buf->begin, size, GFP_KERNEL \| GFP_DMA);
	44	+ if (!tmp) {
	45	+ wsm_buf_deinit(buf);
	46	return -ENOMEM;
	47	}
	48	+
	49	+ buf->begin = tmp;
	50	+ buf->data = &buf->begin[pos];
	51	+ buf->end = &buf->begin[size];
	52	+ return 0;
	53	}