[kernel/f17] Fix uninitialized variable free in iwlwifi (rhbz 951241)

Tue Apr 16 14:43:57 UTC 2013

commit 7f35254607fc074339abe1b6714eba7d37043321
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Tue Apr 16 10:39:20 2013 -0400

    Fix uninitialized variable free in iwlwifi (rhbz 951241)

 iwlwifi-fix-freeing-uninitialized-pointer.patch |   51 +++++++++++++++++++++++
 kernel.spec                                     |    7 +++
 2 files changed, 58 insertions(+), 0 deletions(-)
---

diff --git a/iwlwifi-fix-freeing-uninitialized-pointer.patch b/iwlwifi-fix-freeing-uninitialized-pointer.patch
new file mode 100644
index 0000000..90e6b6f
--- /dev/null
+++ b/iwlwifi-fix-freeing-uninitialized-pointer.patch
@@ -0,0 +1,51 @@
+If on iwl_dump_nic_event_log() error occurs before that function
+initialize buf, we process uninitiated pointer in
+iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409"
+
+Resolves:
+https://bugzilla.redhat.com/show_bug.cgi?id=951241
+
+Reported-by: ian.odette at eprize.com
+Cc: stable at vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <sgruszka at redhat.com>
+---
+Patch is only compile tested, but I'm sure it fixes the problem.
+
+ drivers/net/wireless/iwlwifi/dvm/debugfs.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
+index 7b8178b..cb6dd58 100644
+--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
++++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
+@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file,
+ 					 size_t count, loff_t *ppos)
+ {
+ 	struct iwl_priv *priv = file->private_data;
+-	char *buf;
+-	int pos = 0;
+-	ssize_t ret = -ENOMEM;
++	char *buf = NULL;
++	ssize_t ret;
+ 
+-	ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true);
+-	if (buf) {
+-		ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
+-		kfree(buf);
+-	}
++	ret = iwl_dump_nic_event_log(priv, true, &buf, true);
++	if (ret < 0)
++		goto err;
++	ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
++err:
++	kfree(buf);
+ 	return ret;
+ }
+ 
+-- 
+1.7.11.7
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
+the body of a message to majordomo at vger.kernel.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
\ No newline at end of file
diff --git a/kernel.spec b/kernel.spec
index 611d4d1..49a346f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -783,6 +783,9 @@ Patch25009: tracing-Fix-possible-NULL-pointer-dereferences.patch
 #rhbz 919176
 Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch
 
+#rhbz 951241
+Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1524,6 +1527,9 @@ ApplyPatch tracing-Fix-possible-NULL-pointer-dereferences.patch
 #rhbz 919176
 ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch
 
+#rhbz 951241
+ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2381,6 +2387,7 @@ fi
 #              '-'
 %changelog
 * Tue Apr 16 2013 Josh Boyer <jwboyer at redhat.com>
+- Fix uninitialized variable free in iwlwifi (rhbz 951241)
 - Fix race in regulatory code (rhbz 919176)
 
 * Mon Apr 15 2013 Josh Boyer <jwboyer at redhat.com>
