Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc

Next message: Uros Bizjak: "[PATCH -tip 0/1] x86_32/segment: Always return correctly zero-extended values from savesegment_*()"
Previous message: Kito Xu (veritas501): "[PATCH] netfilter: nfnetlink_osf: fix null-ptr-deref in nf_osf_ttl"
In reply to: Dan Carpenter: "Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc"
Next in thread: Dan Carpenter: "Re: [PATCH v3] staging: rtl8723bs: os_dep: avoid NULL pointer dereference in rtw_cbuf_alloc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Tue Apr 14 2026 - 03:47:45 EST

On Tue, Apr 14, 2026 at 12:43:06PM +0530, Shyam Sunder Reddy Padira wrote:
> The return value of kzalloc_flex() is used without
> ensuring that the allocation succeeded, and the
> pointer is dereferenced unconditionally.
>
> Guard the access to the allocated structure to
> avoid a potential NULL pointer dereference if the
> allocation fails.

You have a procedural issue here: please avoid sending a new patch version in
the same email thread. It makes things harder to follow. For example, I usually
mark the entire thread as read if I see some comments and don't want to go into
the details. It effectively means that I will never see the new version that
already was in the same thread!

...

> --- a/drivers/staging/rtl8723bs/os_dep/osdep_service.c
> +++ b/drivers/staging/rtl8723bs/os_dep/osdep_service.c
> @@ -194,7 +194,8 @@ struct rtw_cbuf *rtw_cbuf_alloc(u32 size)
> struct rtw_cbuf *cbuf;
>
> cbuf = kzalloc_flex(*cbuf, bufs, size);
> - cbuf->size = size;
> + if (cbuf)
> + cbuf->size = size;
>
> return cbuf;

Now to the code. This is still buggy. The problem is that the size is not
validated and when it's 0, the same issue (dereference of invalid pointer)
will happen.

Dan, JFYI k*alloc*(0) returns not NULL and not valid pointer.

--
With Best Regards,
Andy Shevchenko