[PATCH 4.4 66/93] brcmfmac: Fix glob_skb leak in brcmf_sdiod_recv_chain

From: Greg Kroah-Hartman
Date: Thu Oct 06 2016 - 04:58:52 EST

4.4-stable review patch. If anyone has any objections, please let me know.


From: Florian Fainelli <f.fainelli@xxxxxxxxx>

commit 3bdae810721b33061d2e541bd78a70f86ca42af3 upstream.

In case brcmf_sdiod_recv_chain() cannot complete a succeful call to
brcmf_sdiod_buffrw, we would be leaking glom_skb and not free it as we
should, fix this.

Reported-by: coverity (CID 1164856)
Fixes: a413e39a38573 ("brcmfmac: fix brcmf_sdcard_recv_chain() for host without sg support")
Signed-off-by: Florian Fainelli <f.fainelli@xxxxxxxxx>
Acked-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c
@@ -726,8 +726,10 @@ int brcmf_sdiod_recv_chain(struct brcmf_
return -ENOMEM;
err = brcmf_sdiod_buffrw(sdiodev, SDIO_FUNC_2, false, addr,
- if (err)
+ if (err) {
+ brcmu_pkt_buf_free_skb(glom_skb);
goto done;
+ }

skb_queue_walk(pktq, skb) {
memcpy(skb->data, glom_skb->data, skb->len);