diff options
author | Stanislaw Gruszka <sgruszka@redhat.com> | 2013-04-16 15:38:29 +0200 |
---|---|---|
committer | Johannes Berg <johannes.berg@intel.com> | 2013-04-18 13:28:53 +0200 |
commit | 3309ccf7fcebceef540ebe90c65d2f94d745a45b (patch) | |
tree | f0dc6db1b70253ad666a923e5783ef5e3e860ac4 | |
parent | 0aed849f61c1235041f98e4178d0a60aaa1dc548 (diff) |
iwlwifi: fix freeing uninitialized pointer
If on iwl_dump_nic_event_log() error occurs before that function
initialize buf, we process uninitiated pointer in
iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409"
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=951241
Cc: stable@vger.kernel.org
Reported-by: ian.odette@eprize.com
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-rw-r--r-- | drivers/net/wireless/iwlwifi/dvm/debugfs.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c index 7b8178be119..cb6dd5813fb 100644 --- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c +++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c @@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file, size_t count, loff_t *ppos) { struct iwl_priv *priv = file->private_data; - char *buf; - int pos = 0; - ssize_t ret = -ENOMEM; + char *buf = NULL; + ssize_t ret; - ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true); - if (buf) { - ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos); - kfree(buf); - } + ret = iwl_dump_nic_event_log(priv, true, &buf, true); + if (ret < 0) + goto err; + ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret); +err: + kfree(buf); return ret; } |