Merge tag 'ieee802154-for-davem-2020-09-08' of git://git.kernel.org/pub/scm/linux...

Stefan Schmidt says:

====================
pull-request: ieee802154 for net 2020-09-08

An update from ieee802154 for your *net* tree.

A potential memory leak fix for ca8210 from Liu Jian,
a check on the return for a register read in adf7242
and finally a user after free fix in the softmac tx
function from Eric found by syzkaller.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
index c11f32f..7db9cbd 100644 (file)
--- a/drivers/net/ieee802154/adf7242.c
+++ b/drivers/net/ieee802154/adf7242.c
@@ -882,7 +882,9 @@ static int adf7242_rx(struct adf7242_local *lp)
        int ret;
        u8 lqi, len_u8, *data;
 
-       adf7242_read_reg(lp, 0, &len_u8);
+       ret = adf7242_read_reg(lp, 0, &len_u8);
+       if (ret)
+               return ret;
 
        len = len_u8;
 

diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index e04c3b6..4eb6470 100644 (file)
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2925,6 +2925,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv)
        );
        if (!priv->irq_workqueue) {
                dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n");
+               destroy_workqueue(priv->mlme_workqueue);
                return -ENOMEM;
        }
 

diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
index ab52811..c829e4a 100644 (file)
--- a/net/mac802154/tx.c
+++ b/net/mac802154/tx.c
@@ -34,11 +34,11 @@ void ieee802154_xmit_worker(struct work_struct *work)
        if (res)
                goto err_tx;
 
-       ieee802154_xmit_complete(&local->hw, skb, false);
-
        dev->stats.tx_packets++;
        dev->stats.tx_bytes += skb->len;
 
+       ieee802154_xmit_complete(&local->hw, skb, false);
+
        return;
 
 err_tx:
@@ -78,6 +78,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
 
        /* async is priority, otherwise sync is fallback */
        if (local->ops->xmit_async) {
+               unsigned int len = skb->len;
+
                ret = drv_xmit_async(local, skb);
                if (ret) {
                        ieee802154_wake_queue(&local->hw);
@@ -85,7 +87,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
                }
 
                dev->stats.tx_packets++;
-               dev->stats.tx_bytes += skb->len;
+               dev->stats.tx_bytes += len;
        } else {
                local->tx_skb = skb;
                queue_work(local->workqueue, &local->tx_work);