diff options
| author | Josh Boyer <jwboyer@redhat.com> | 2013-04-16 10:39:20 -0400 |
|---|---|---|
| committer | Josh Boyer <jwboyer@redhat.com> | 2013-04-16 10:43:45 -0400 |
| commit | 76273d4703371c3303d8b2414869037aba4b4845 (patch) | |
| tree | 9bc375ada8a48c984a4e8d4a8582c731fd2f55f4 | |
| parent | 87048d88845905ce3a61a68a11abb5cfdd8e86b5 (diff) | |
| download | kernel-76273d4703371c3303d8b2414869037aba4b4845.tar.gz kernel-76273d4703371c3303d8b2414869037aba4b4845.tar.xz kernel-76273d4703371c3303d8b2414869037aba4b4845.zip | |
Fix uninitialized variable free in iwlwifi (rhbz 951241)
| -rw-r--r-- | iwlwifi-fix-freeing-uninitialized-pointer.patch | 51 | ||||
| -rw-r--r-- | kernel.spec | 7 |
2 files changed, 58 insertions, 0 deletions
diff --git a/iwlwifi-fix-freeing-uninitialized-pointer.patch b/iwlwifi-fix-freeing-uninitialized-pointer.patch new file mode 100644 index 000000000..90e6b6f64 --- /dev/null +++ b/iwlwifi-fix-freeing-uninitialized-pointer.patch @@ -0,0 +1,51 @@ +If on iwl_dump_nic_event_log() error occurs before that function +initialize buf, we process uninitiated pointer in +iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409" + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=951241 + +Reported-by: ian.odette@eprize.com +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +--- +Patch is only compile tested, but I'm sure it fixes the problem. + + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +index 7b8178b..cb6dd58 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c ++++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file, + size_t count, loff_t *ppos) + { + struct iwl_priv *priv = file->private_data; +- char *buf; +- int pos = 0; +- ssize_t ret = -ENOMEM; ++ char *buf = NULL; ++ ssize_t ret; + +- ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true); +- if (buf) { +- ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos); +- kfree(buf); +- } ++ ret = iwl_dump_nic_event_log(priv, true, &buf, true); ++ if (ret < 0) ++ goto err; ++ ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret); ++err: ++ kfree(buf); + return ret; + } + +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html
\ No newline at end of file diff --git a/kernel.spec b/kernel.spec index cb6e15d21..cb7fceec7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,9 @@ Patch23008: forcedeth-dma-error-check.patch #rhbz 919176 Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch +#rhbz 951241 +Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch + # END OF PATCH DEFINITIONS %endif @@ -1446,6 +1449,9 @@ ApplyPatch forcedeth-dma-error-check.patch #rhbz 919176 ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch +#rhbz 951241 +ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch + # END OF PATCH APPLICATIONS %endif @@ -2280,6 +2286,7 @@ fi # || || %changelog * Tue Apr 16 2013 Josh Boyer <jwboyer@redhat.com> +- Fix uninitialized variable free in iwlwifi (rhbz 951241) - Fix race in regulatory code (rhbz 919176) * Mon Apr 15 2013 Josh Boyer <jwboyer@redhat.com> |