From: Brian Norris <briannorris@chromium.org>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org, lvc-project@linuxtesting.org
Subject: Re: [PATCH] wifi: mwifiex: avoid possible NULL skb pointer dereference
Date: Tue, 8 Aug 2023 13:11:27 -0700 [thread overview]
Message-ID: <ZNKhb2lgSmfEqqsW@google.com> (raw)
In-Reply-To: <20230808084431.43548-1-dmantipov@yandex.ru>
On Tue, Aug 08, 2023 at 11:44:27AM +0300, Dmitry Antipov wrote:
> In 'mwifiex_handle_uap_rx_forward()', always check the value
> returned by 'skb_copy()' to avoid potential NULL pointer
> dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
> original skb in case of copying failure.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling")
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> index 04ff051f5d18..454d1c11d39b 100644
> --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
> @@ -252,7 +252,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
>
> if (is_multicast_ether_addr(ra)) {
> skb_uap = skb_copy(skb, GFP_ATOMIC);
> - mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
> + if (likely(skb_uap)) {
> + mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
> + } else {
> + mwifiex_dbg(adapter, ERROR,
> + "failed to copy skb for uAP\n");
> + priv->stats.tx_dropped++;
This feels like it should be 'rx_dropped', since we're dropping it
before we done any real "RX" (let alone getting to any forward/outbound
operation). I doubt it makes a big difference overall, but it seems like
the right thing to do.
Otherwise, this looks good; feel free to carry this to a next revision
if you're just changing tx_dropped to rx_dropped:
Acked-by: Brian Norris <briannorris@chromium.org>
> + dev_kfree_skb_any(skb);
> + return -1;
> + }
> } else {
> if (mwifiex_get_sta_entry(priv, ra)) {
> /* Requeue Intra-BSS packet */
> --
> 2.41.0
>
next prev parent reply other threads:[~2023-08-08 21:13 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-08 8:44 [PATCH] wifi: mwifiex: avoid possible NULL skb pointer dereference Dmitry Antipov
2023-08-08 20:11 ` Brian Norris [this message]
2023-08-09 9:35 ` Dmitry Antipov
2023-08-09 20:32 ` Bug in commit 119585281617 wifi: mwifiex: Fix OOB and integer underflow when rx packets Brian Norris
2023-08-14 9:49 ` [PATCH] [v2] wifi: mwifiex: avoid possible NULL skb pointer dereference Dmitry Antipov
2023-08-23 11:11 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZNKhb2lgSmfEqqsW@google.com \
--to=briannorris@chromium.org \
--cc=dmantipov@yandex.ru \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.