Re: [PATCH] ath11k: fix a double free and a memory leak

[Nathan Chancellor <natechancellor@gmail.com>]

On Sun, Sep 06, 2020 at 02:26:25PM -0700, trix@redhat.com wrote:
> From: Tom Rix <trix@redhat.com>
> 
> clang static analyzer reports this problem
> 
> mac.c:6204:2: warning: Attempt to free released memory
>         kfree(ar->mac.sbands[NL80211_BAND_2GHZ].channels);
>         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> The channels pointer is allocated in ath11k_mac_setup_channels_rates()
> When it fails midway, it cleans up the memory it has already allocated.
> So the error handling needs to skip freeing the memory.
> 
> There is a second problem.
> ath11k_mac_setup_channels_rates(), allocates 3 channels. err_free
> misses releasing ar->mac.sbands[NL80211_BAND_6GHZ].channels
> 
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Tom Rix <trix@redhat.com>

Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>

> ---
>  drivers/net/wireless/ath/ath11k/mac.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
> index f4a085baff38..f1a964b01a83 100644
> --- a/drivers/net/wireless/ath/ath11k/mac.c
> +++ b/drivers/net/wireless/ath/ath11k/mac.c
> @@ -6089,7 +6089,7 @@ static int __ath11k_mac_register(struct ath11k *ar)
>  	ret = ath11k_mac_setup_channels_rates(ar,
>  					      cap->supported_bands);
>  	if (ret)
> -		goto err_free;
> +		goto err;
>  
>  	ath11k_mac_setup_ht_vht_cap(ar, cap, &ht_cap);
>  	ath11k_mac_setup_he_cap(ar, cap);
> @@ -6203,7 +6203,8 @@ static int __ath11k_mac_register(struct ath11k *ar)
>  err_free:
>  	kfree(ar->mac.sbands[NL80211_BAND_2GHZ].channels);
>  	kfree(ar->mac.sbands[NL80211_BAND_5GHZ].channels);
> -
> +	kfree(ar->mac.sbands[NL80211_BAND_6GHZ].channels);
> +err:
>  	SET_IEEE80211_DEV(ar->hw, NULL);
>  	return ret;
>  }
> -- 
> 2.18.1
>