* [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug
@ 2024-05-13 12:23 Sicong Huang
2024-05-13 13:23 ` AngeloGioacchino Del Regno
0 siblings, 1 reply; 4+ messages in thread
From: Sicong Huang @ 2024-05-13 12:23 UTC (permalink / raw)
To: nbd, ryder.lee, shayne.chen, sean.wang, kvalo, matthias.bgg,
angelogioacchino.delregno
Cc: linux-wireless, linux-mediatek, Sicong Huang
Function mt7615_coredump_work will call vzalloc to allocate a large amount
of memory space, the size of which is 1300KB. There should be a null
pointer check after vzalloc. Otherwise, when the memory allocation fails
and returns NULL, the function will cause a Kernel crash.
Signed-off-by: Sicong Huang <congei42@163.com>
---
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index 7ba789834e8d..04eb52904520 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2341,6 +2341,9 @@ void mt7615_coredump_work(struct work_struct *work)
}
dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
+ if(!dump)
+ return;
+
data = dump;
while (true) {
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug
2024-05-13 12:23 [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug Sicong Huang
@ 2024-05-13 13:23 ` AngeloGioacchino Del Regno
0 siblings, 0 replies; 4+ messages in thread
From: AngeloGioacchino Del Regno @ 2024-05-13 13:23 UTC (permalink / raw)
To: Sicong Huang, nbd, ryder.lee, shayne.chen, sean.wang, kvalo,
matthias.bgg
Cc: linux-wireless, linux-mediatek
Il 13/05/24 14:23, Sicong Huang ha scritto:
> Function mt7615_coredump_work will call vzalloc to allocate a large amount
> of memory space, the size of which is 1300KB. There should be a null
> pointer check after vzalloc. Otherwise, when the memory allocation fails
Otherwise, if the memory allocation fails ...
> and returns NULL, the function will cause a Kernel crash.
> > Signed-off-by: Sicong Huang <congei42@163.com>
Please add the relevant Fixes tag and resend.
Cheers,
Angelo
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug
@ 2024-05-13 14:34 sicong
2024-05-13 16:13 ` Lorenzo Bianconi
0 siblings, 1 reply; 4+ messages in thread
From: sicong @ 2024-05-13 14:34 UTC (permalink / raw)
To: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang, kvalo,
matthias.bgg, angelogioacchino.delregno
Cc: linux-wireless, linux-mediatek
Function mt7615_coredump_work will call vzalloc to allocate a large amount
of memory space, the size of which is 1300KB. There should be a null
pointer check after vzalloc. Otherwise, when the memory allocation fails
and returns NULL, the function will cause kernel crash.
Fixes: de791098459d ("wifi: mt76: mt7615: fix null pointer dereference bug")
Signed-off-by: Sicong Huang <congei42@163.com>
---
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index 7ba789834e8d..04eb52904520 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2341,6 +2341,9 @@ void mt7615_coredump_work(struct work_struct *work)
}
dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
+ if(!dump)
+ return;
+
data = dump;
while (true) {
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug
2024-05-13 14:34 sicong
@ 2024-05-13 16:13 ` Lorenzo Bianconi
0 siblings, 0 replies; 4+ messages in thread
From: Lorenzo Bianconi @ 2024-05-13 16:13 UTC (permalink / raw)
To: sicong
Cc: nbd, ryder.lee, shayne.chen, sean.wang, kvalo, matthias.bgg,
angelogioacchino.delregno, linux-wireless, linux-mediatek
[-- Attachment #1: Type: text/plain, Size: 1180 bytes --]
> Function mt7615_coredump_work will call vzalloc to allocate a large amount
> of memory space, the size of which is 1300KB. There should be a null
> pointer check after vzalloc. Otherwise, when the memory allocation fails
> and returns NULL, the function will cause kernel crash.
>
> Fixes: de791098459d ("wifi: mt76: mt7615: fix null pointer dereference bug")
> Signed-off-by: Sicong Huang <congei42@163.com>
> ---
> drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> index 7ba789834e8d..04eb52904520 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> @@ -2341,6 +2341,9 @@ void mt7615_coredump_work(struct work_struct *work)
> }
>
> dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
> + if(!dump)
> + return;
> +
> data = dump;
>
> while (true) {
> --
> 2.34.1
I guess the kernel will not crash here since we check the dump pointer in the
while loop, we will just flush the msg_list queue.
Regards,
Lorenzo
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-05-13 16:13 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-13 12:23 [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug Sicong Huang
2024-05-13 13:23 ` AngeloGioacchino Del Regno
-- strict thread matches above, loose matches on Subject: below --
2024-05-13 14:34 sicong
2024-05-13 16:13 ` Lorenzo Bianconi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox