[PATCH] staging: rtl8723bs: core: avoid NULL pointer dereference in c2h_wk_callback

Next message: Dave Carey: "Re: [PATCH v5] platform/x86/lenovo: Add Yoga Book 9 keyboard dock detection driver"
Previous message: Simon Horman: "Re: [PATCH net v2] rtase: Workaround for IP fragmented UDP packet hardware bug"
Next in thread: Andy Shevchenko: "Re: [PATCH] staging: rtl8723bs: core: avoid NULL pointer dereference in c2h_wk_callback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nikoloz Bakuradze

Date: Mon Jun 08 2026 - 15:08:50 EST

c2h_wk_callback() allocates a 16-byte buffer with kmalloc(GFP_ATOMIC)
when the c2h event needs to be read by the host. The existing guard
only wraps the read step, so on allocation failure the loop body falls
through with a NULL c2h_evt and dereferences it in rtw_hal_c2h_valid()
(via c2h_evt_valid() which reads buf->id).

Restructure the check into an early continue so the rest of the loop
iteration cannot be reached with a NULL pointer.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Nikoloz Bakuradze <nbakuradze28@xxxxxxxxx>
---
drivers/staging/rtl8723bs/core/rtw_cmd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
index c1185c25ed369..874970116f920 100644
--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
@@ -1702,12 +1702,12 @@ static void c2h_wk_callback(struct work_struct *work)
c2h_evt_clear(adapter);
} else {
c2h_evt = kmalloc(16, GFP_ATOMIC);
- if (c2h_evt) {
- /* This C2H event is not read, read & clear now */
- if (c2h_evt_read_88xx(adapter, c2h_evt) != _SUCCESS) {
- kfree(c2h_evt);
- continue;
- }
+ if (!c2h_evt)
+ continue;
+ /* This C2H event is not read, read & clear now */
+ if (c2h_evt_read_88xx(adapter, c2h_evt) != _SUCCESS) {
+ kfree(c2h_evt);
+ continue;
}
}

--
2.54.0