[PATCH AUTOSEL 4.14 18/43] staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc

From: Sasha Levin
Date: Mon Apr 22 2019 - 15:48:18 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 4.14 27/43] net: ibm: fix possible object reference leak"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.14 17/43] net: ks8851: Set initial carrier state to down"
In reply to: Sasha Levin: "[PATCH AUTOSEL 4.14 17/43] net: ks8851: Set initial carrier state to down"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 4.14 27/43] net: ibm: fix possible object reference leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Aditya Pakki <pakki001@xxxxxxx>

[ Upstream commit 7671ce0d92933762f469266daf43bd34d422d58c ]

hwxmits is allocated via kcalloc and not checked for failure before its
dereference. The patch fixes this problem by returning error upstream
in rtl8723bs, rtl8188eu.

Signed-off-by: Aditya Pakki <pakki001@xxxxxxx>
Acked-by: Mukesh Ojha <mojha@xxxxxxxxxxxxxx>
Reviewed-by: Hans de Goede <hdegoede@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin (Microsoft) <sashal@xxxxxxxxxx>
---
drivers/staging/rtl8188eu/core/rtw_xmit.c | 9 +++++++--
drivers/staging/rtl8188eu/include/rtw_xmit.h | 2 +-
drivers/staging/rtl8723bs/core/rtw_xmit.c | 14 +++++++-------
drivers/staging/rtl8723bs/include/rtw_xmit.h | 2 +-
4 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
index be2f46eb9f78..904b988ecc4e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
+++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
@@ -188,7 +188,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)

pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;

- rtw_alloc_hwxmits(padapter);
+ res = rtw_alloc_hwxmits(padapter);
+ if (res == _FAIL)
+ goto exit;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);

for (i = 0; i < 4; i++)
@@ -1573,7 +1575,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
return res;
}

-void rtw_alloc_hwxmits(struct adapter *padapter)
+s32 rtw_alloc_hwxmits(struct adapter *padapter)
{
struct hw_xmit *hwxmits;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -1582,6 +1584,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)

pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry,
sizeof(struct hw_xmit), GFP_KERNEL);
+ if (!pxmitpriv->hwxmits)
+ return _FAIL;

hwxmits = pxmitpriv->hwxmits;

@@ -1589,6 +1593,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
hwxmits[1] .sta_queue = &pxmitpriv->vi_pending;
hwxmits[2] .sta_queue = &pxmitpriv->be_pending;
hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
+ return _SUCCESS;
}

void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h
index dd6b7a9a8d4a..1be4b478475a 100644
--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h
+++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h
@@ -342,7 +342,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
-void rtw_alloc_hwxmits(struct adapter *padapter);
+s32 rtw_alloc_hwxmits(struct adapter *padapter);
void rtw_free_hwxmits(struct adapter *padapter);
s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 022f654419e4..91dab7f8a739 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -271,7 +271,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
}
}

- rtw_alloc_hwxmits(padapter);
+ res = rtw_alloc_hwxmits(padapter);
+ if (res == _FAIL)
+ goto exit;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);

for (i = 0; i < 4; i++) {
@@ -2157,7 +2159,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
return res;
}

-void rtw_alloc_hwxmits(struct adapter *padapter)
+s32 rtw_alloc_hwxmits(struct adapter *padapter)
{
struct hw_xmit *hwxmits;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -2168,10 +2170,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)

pxmitpriv->hwxmits = (struct hw_xmit *)rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry);

- if (pxmitpriv->hwxmits == NULL) {
- DBG_871X("alloc hwxmits fail!...\n");
- return;
- }
+ if (!pxmitpriv->hwxmits)
+ return _FAIL;

hwxmits = pxmitpriv->hwxmits;

@@ -2217,7 +2217,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)

}

-
+ return _SUCCESS;
}

void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h
index 11571649cd2c..92236ca8a1ef 100644
--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h
+++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h
@@ -494,7 +494,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv);

-void rtw_alloc_hwxmits(struct adapter *padapter);
+s32 rtw_alloc_hwxmits(struct adapter *padapter);
void rtw_free_hwxmits(struct adapter *padapter);

--
2.19.1

Next message: Sasha Levin: "[PATCH AUTOSEL 4.14 27/43] net: ibm: fix possible object reference leak"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.14 17/43] net: ks8851: Set initial carrier state to down"
In reply to: Sasha Levin: "[PATCH AUTOSEL 4.14 17/43] net: ks8851: Set initial carrier state to down"
Next in thread: Sasha Levin: "[PATCH AUTOSEL 4.14 27/43] net: ibm: fix possible object reference leak"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]