From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Aditya Pakki <pakki001@umn.edu>,
Mukesh Ojha <mojha@codeaurora.org>,
Hans de Goede <hdegoede@redhat.com>,
"Sasha Levin (Microsoft)" <sashal@kernel.org>
Subject: [PATCH 4.14 25/49] staging: rtl8188eu: Fix potential NULL pointer dereference of kcalloc
Date: Thu, 2 May 2019 17:21:02 +0200 [thread overview]
Message-ID: <20190502143327.070889060@linuxfoundation.org> (raw)
In-Reply-To: <20190502143323.397051088@linuxfoundation.org>
[ Upstream commit 7671ce0d92933762f469266daf43bd34d422d58c ]
hwxmits is allocated via kcalloc and not checked for failure before its
dereference. The patch fixes this problem by returning error upstream
in rtl8723bs, rtl8188eu.
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Acked-by: Mukesh Ojha <mojha@codeaurora.org>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
---
drivers/staging/rtl8188eu/core/rtw_xmit.c | 9 +++++++--
drivers/staging/rtl8188eu/include/rtw_xmit.h | 2 +-
drivers/staging/rtl8723bs/core/rtw_xmit.c | 14 +++++++-------
drivers/staging/rtl8723bs/include/rtw_xmit.h | 2 +-
4 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_xmit.c b/drivers/staging/rtl8188eu/core/rtw_xmit.c
index be2f46eb9f78..904b988ecc4e 100644
--- a/drivers/staging/rtl8188eu/core/rtw_xmit.c
+++ b/drivers/staging/rtl8188eu/core/rtw_xmit.c
@@ -188,7 +188,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
- rtw_alloc_hwxmits(padapter);
+ res = rtw_alloc_hwxmits(padapter);
+ if (res == _FAIL)
+ goto exit;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
for (i = 0; i < 4; i++)
@@ -1573,7 +1575,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
return res;
}
-void rtw_alloc_hwxmits(struct adapter *padapter)
+s32 rtw_alloc_hwxmits(struct adapter *padapter)
{
struct hw_xmit *hwxmits;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -1582,6 +1584,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
pxmitpriv->hwxmits = kcalloc(pxmitpriv->hwxmit_entry,
sizeof(struct hw_xmit), GFP_KERNEL);
+ if (!pxmitpriv->hwxmits)
+ return _FAIL;
hwxmits = pxmitpriv->hwxmits;
@@ -1589,6 +1593,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
hwxmits[1] .sta_queue = &pxmitpriv->vi_pending;
hwxmits[2] .sta_queue = &pxmitpriv->be_pending;
hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
+ return _SUCCESS;
}
void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/rtl8188eu/include/rtw_xmit.h b/drivers/staging/rtl8188eu/include/rtw_xmit.h
index dd6b7a9a8d4a..1be4b478475a 100644
--- a/drivers/staging/rtl8188eu/include/rtw_xmit.h
+++ b/drivers/staging/rtl8188eu/include/rtw_xmit.h
@@ -342,7 +342,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
-void rtw_alloc_hwxmits(struct adapter *padapter);
+s32 rtw_alloc_hwxmits(struct adapter *padapter);
void rtw_free_hwxmits(struct adapter *padapter);
s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index 022f654419e4..91dab7f8a739 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -271,7 +271,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
}
}
- rtw_alloc_hwxmits(padapter);
+ res = rtw_alloc_hwxmits(padapter);
+ if (res == _FAIL)
+ goto exit;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
for (i = 0; i < 4; i++) {
@@ -2157,7 +2159,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
return res;
}
-void rtw_alloc_hwxmits(struct adapter *padapter)
+s32 rtw_alloc_hwxmits(struct adapter *padapter)
{
struct hw_xmit *hwxmits;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -2168,10 +2170,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
pxmitpriv->hwxmits = (struct hw_xmit *)rtw_zmalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry);
- if (pxmitpriv->hwxmits == NULL) {
- DBG_871X("alloc hwxmits fail!...\n");
- return;
- }
+ if (!pxmitpriv->hwxmits)
+ return _FAIL;
hwxmits = pxmitpriv->hwxmits;
@@ -2217,7 +2217,7 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
}
-
+ return _SUCCESS;
}
void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/rtl8723bs/include/rtw_xmit.h b/drivers/staging/rtl8723bs/include/rtw_xmit.h
index 11571649cd2c..92236ca8a1ef 100644
--- a/drivers/staging/rtl8723bs/include/rtw_xmit.h
+++ b/drivers/staging/rtl8723bs/include/rtw_xmit.h
@@ -494,7 +494,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
void _rtw_free_xmit_priv (struct xmit_priv *pxmitpriv);
-void rtw_alloc_hwxmits(struct adapter *padapter);
+s32 rtw_alloc_hwxmits(struct adapter *padapter);
void rtw_free_hwxmits(struct adapter *padapter);
--
2.19.1
next prev parent reply other threads:[~2019-05-02 15:24 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-02 15:20 [PATCH 4.14 00/49] 4.14.116-stable review Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 01/49] selinux: use kernel linux/socket.h for genheaders and mdp Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 02/49] usbnet: ipheth: prevent TX queue timeouts when device not ready Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 03/49] usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 04/49] mm: make page ref count overflow check tighter and more explicit Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 05/49] mm: add try_get_page() helper function Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 06/49] mm: prevent get_user_pages() from overflowing page refcount Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 07/49] fs: prevent page refcount overflow in pipe_buf_get Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 08/49] ARM: dts: bcm283x: Fix hdmi hpd gpio pull Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 09/49] s390: limit brk randomization to 32MB Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 10/49] qlcnic: Avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 11/49] netfilter: nft_set_rbtree: check for inactive element after flag mismatch Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 12/49] netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 13/49] s390/qeth: fix race when initializing the IP address table Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 14/49] sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init() Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 15/49] serial: ar933x_uart: Fix build failure with disabled console Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 16/49] KVM: arm/arm64: vgic-its: Take the srcu lock when parsing the memslots Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 17/49] usb: gadget: net2280: Fix overrun of OUT messages Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 18/49] usb: gadget: net2280: Fix net2280_dequeue() Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 19/49] usb: gadget: net2272: Fix net2272_dequeue() Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 20/49] ARM: dts: pfla02: increase phy reset duration Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 21/49] net: ks8851: Dequeue RX packets explicitly Greg Kroah-Hartman
2019-05-02 15:20 ` [PATCH 4.14 22/49] net: ks8851: Reassert reset pin if chip ID check fails Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 23/49] net: ks8851: Delay requesting IRQ until opened Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 24/49] net: ks8851: Set initial carrier state to down Greg Kroah-Hartman
2019-05-02 15:21 ` Greg Kroah-Hartman [this message]
2019-05-02 15:21 ` [PATCH 4.14 26/49] staging: rtlwifi: rtl8822b: fix to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 27/49] staging: rtl8712: uninitialized memory in read_bbreg_hdl() Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 28/49] staging: rtlwifi: Fix potential NULL pointer dereference of kzalloc Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 29/49] net: macb: Add null check for PCLK and HCLK Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 30/49] net/sched: dont dereference a->goto_chain to read the chain index Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 31/49] ARM: dts: imx6qdl: Fix typo in imx6qdl-icore-rqs.dtsi Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 32/49] NFS: Fix a typo in nfs_init_timeout_values() Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 33/49] net: xilinx: fix possible object reference leak Greg Kroah-Hartman
2019-05-02 15:21 ` Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 34/49] net: ibm: " Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 35/49] net: ethernet: ti: " Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 36/49] gpio: aspeed: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 37/49] drm/meson: Fix invalid pointer in meson_drv_unbind() Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 38/49] drm/meson: Uninstall IRQ handler Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 39/49] scsi: qla4xxx: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 40/49] usb: usb251xb: fix to avoid " Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 41/49] usb: u132-hcd: fix resource leak Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 42/49] ceph: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 43/49] scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 44/49] libata: fix using DMA buffers on stack Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 45/49] gpio: of: Fix of_gpiochip_add() error path Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 46/49] kconfig/[mn]conf: handle backspace (^H) key Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 47/49] iommu/amd: Reserve exclusion range in iova-domain Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 48/49] ptrace: take into account saved_sigmask in PTRACE{GET,SET}SIGMASK Greg Kroah-Hartman
2019-05-02 15:21 ` [PATCH 4.14 49/49] leds: pca9532: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-03 0:06 ` [PATCH 4.14 00/49] 4.14.116-stable review kernelci.org bot
2019-05-03 6:55 ` Naresh Kamboju
2019-05-03 9:27 ` Jon Hunter
2019-05-03 9:27 ` Jon Hunter
2019-05-03 17:15 ` Guenter Roeck
2019-05-03 21:20 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190502143327.070889060@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mojha@codeaurora.org \
--cc=pakki001@umn.edu \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.