Oops. I forgot to put commentary on this one. See below.
On Fri, Apr 21, 2017 at 11:11:05PM +0300, Dan Carpenter wrote:
> Hello Ming Lei,
>
> The patch e6c6d33cb7d1: "ath9k-htc:respect usb buffer cacheline
> alignment in reg in path" from Apr 13, 2010, leads to the following
> static checker warning:
>
> drivers/net/wireless/ath/ath9k/hif_usb.c:745 ath9k_hif_usb_reg_in_cb()
> warn: 'skb' was already freed.
>
> drivers/net/wireless/ath/ath9k/hif_usb.c
> 712 if (likely(urb->actual_length != 0)) {
> 713 skb_put(skb, urb->actual_length);
> 714
> 715 /* Process the command first */
> 716 ath9k_htc_rx_msg(hif_dev->htc_handle, skb,
^^^
Pretty sure "skb" gets freed here.
> 717 skb->len, USB_REG_IN_PIPE);
> 718
> 719
> 720 nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC);
> 721 if (!nskb) {
> 722 dev_err(&hif_dev->udev->dev,
> 723 "ath9k_htc: REG_IN memory allocation
> failure\n");
> 724 urb->context = NULL;
> 725 return;
> 726 }
> 727
> 728 usb_fill_int_urb(urb, hif_dev->udev,
> 729 usb_rcvintpipe(hif_dev->udev,
> 730 USB_REG_IN_PIPE),
> 731 nskb->data, MAX_REG_IN_BUF_SIZE,
> 732 ath9k_hif_usb_reg_in_cb, nskb, 1);
> 733 }
> 734
> 735 resubmit:
> 736 usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
> 737 ret = usb_submit_urb(urb, GFP_ATOMIC);
> 738 if (ret) {
> 739 usb_unanchor_urb(urb);
> 740 goto free;
^^^^^^^^^
Assume we hit this goto.
> 741 }
> 742
> 743 return;
> 744 free:
> 745 kfree_skb(skb);
^^^
Double free.
> 746 urb->context = NULL;
> 747 }
>
regards,
dan carpenter
