xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wifi: mwifiex: avoid possible NULL skb pointer dereference

Browse Source 
[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ]

In 'mwifiex_handle_uap_rx_forward()', always check the value
returned by 'skb_copy()' to avoid potential NULL pointer
dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
original skb in case of copying failure.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 838e4f4492 ("mwifiex: improve uAP RX handling")
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Dmitry Antipov
2023-08-14 12:49:57 +03:00
committed by Greg Kroah-Hartman
parent cfce1973ff
commit bef85d58f7
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/net/wireless/marvell/mwifiex/uap_txrx.c
View File

@@ -265,7 +265,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
if (is_multicast_ether_addr(ra)) { if (is_multicast_ether_addr(ra)) {
skb_uap = skb_copy(skb, GFP_ATOMIC); skb_uap = skb_copy(skb, GFP_ATOMIC);
if (likely(skb_uap)) {
mwifiex_uap_queue_bridged_pkt(priv, skb_uap); mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
} else {
mwifiex_dbg(adapter, ERROR,
"failed to copy skb for uAP\n");
priv->stats.rx_dropped++;
dev_kfree_skb_any(skb);
return -1;
}
} else { } else {
if (mwifiex_get_sta_entry(priv, ra)) { if (mwifiex_get_sta_entry(priv, ra)) {
/* Requeue Intra-BSS packet */ /* Requeue Intra-BSS packet */