mt7601u: do not free dma_buf when ivp allocation fails

If the allocation of ivp fails the error handling attempts to free an uninitialized dma_buf; this data structure just contains garbage on the stack, so the freeing will cause issues when the urb, buf and dma fields are free'd. Fix this by not free'ing the dma_buf if the ivp allocation fails. Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Julian Calaby <julian.calaby@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Jakub Kicinski <kubakici@wp.pl>
kuba-moo · May 17, 2016 · 9b8ff92 · 9b8ff92
1 parent 2ee1c0a
commit 9b8ff92
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/mcu.c b/mcu.c
@@ -362,7 +362,9 @@ mt7601u_upload_firmware(struct mt7601u_dev *dev, const struct mt76_fw *fw)
 	int i, ret;
 
 	ivb = kmemdup(fw->ivb, sizeof(fw->ivb), GFP_KERNEL);
-	if (!ivb || mt7601u_usb_alloc_buf(dev, MCU_FW_URB_SIZE, &dma_buf)) {
+	if (!ivb)
+		return -ENOMEM;
+	if (mt7601u_usb_alloc_buf(dev, MCU_FW_URB_SIZE, &dma_buf)) {
 		ret = -ENOMEM;
 		goto error;
 	}