| From 07957149f5c52671e595ace8d4dedebc7bdda9c4 Mon Sep 17 00:00:00 2001 |
| From: Aditya Pakki <pakki001@umn.edu> |
| Date: Sat, 23 Mar 2019 15:49:16 -0500 |
| Subject: rsi: Fix NULL pointer dereference in kmalloc |
| |
| [ Upstream commit d5414c2355b20ea8201156d2e874265f1cb0d775 ] |
| |
| kmalloc can fail in rsi_register_rates_channels but memcpy still attempts |
| to write to channels. The patch replaces these calls with kmemdup and |
| passes the error upstream. |
| |
| Signed-off-by: Aditya Pakki <pakki001@umn.edu> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/rsi/rsi_91x_mac80211.c | 30 ++++++++++++--------- |
| 1 file changed, 18 insertions(+), 12 deletions(-) |
| |
| diff --git a/drivers/net/wireless/rsi/rsi_91x_mac80211.c b/drivers/net/wireless/rsi/rsi_91x_mac80211.c |
| index 831046e760f8a..49df3bb08d41f 100644 |
| --- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c |
| +++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c |
| @@ -188,27 +188,27 @@ bool rsi_is_cipher_wep(struct rsi_common *common) |
| * @adapter: Pointer to the adapter structure. |
| * @band: Operating band to be set. |
| * |
| - * Return: None. |
| + * Return: int - 0 on success, negative error on failure. |
| */ |
| -static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) |
| +static int rsi_register_rates_channels(struct rsi_hw *adapter, int band) |
| { |
| struct ieee80211_supported_band *sbands = &adapter->sbands[band]; |
| void *channels = NULL; |
| |
| if (band == NL80211_BAND_2GHZ) { |
| - channels = kmalloc(sizeof(rsi_2ghz_channels), GFP_KERNEL); |
| - memcpy(channels, |
| - rsi_2ghz_channels, |
| - sizeof(rsi_2ghz_channels)); |
| + channels = kmemdup(rsi_2ghz_channels, sizeof(rsi_2ghz_channels), |
| + GFP_KERNEL); |
| + if (!channels) |
| + return -ENOMEM; |
| sbands->band = NL80211_BAND_2GHZ; |
| sbands->n_channels = ARRAY_SIZE(rsi_2ghz_channels); |
| sbands->bitrates = rsi_rates; |
| sbands->n_bitrates = ARRAY_SIZE(rsi_rates); |
| } else { |
| - channels = kmalloc(sizeof(rsi_5ghz_channels), GFP_KERNEL); |
| - memcpy(channels, |
| - rsi_5ghz_channels, |
| - sizeof(rsi_5ghz_channels)); |
| + channels = kmemdup(rsi_5ghz_channels, sizeof(rsi_5ghz_channels), |
| + GFP_KERNEL); |
| + if (!channels) |
| + return -ENOMEM; |
| sbands->band = NL80211_BAND_5GHZ; |
| sbands->n_channels = ARRAY_SIZE(rsi_5ghz_channels); |
| sbands->bitrates = &rsi_rates[4]; |
| @@ -227,6 +227,7 @@ static void rsi_register_rates_channels(struct rsi_hw *adapter, int band) |
| sbands->ht_cap.mcs.rx_mask[0] = 0xff; |
| sbands->ht_cap.mcs.tx_params = IEEE80211_HT_MCS_TX_DEFINED; |
| /* sbands->ht_cap.mcs.rx_highest = 0x82; */ |
| + return 0; |
| } |
| |
| static int rsi_mac80211_hw_scan_start(struct ieee80211_hw *hw, |
| @@ -2064,11 +2065,16 @@ int rsi_mac80211_attach(struct rsi_common *common) |
| wiphy->available_antennas_rx = 1; |
| wiphy->available_antennas_tx = 1; |
| |
| - rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ); |
| + status = rsi_register_rates_channels(adapter, NL80211_BAND_2GHZ); |
| + if (status) |
| + return status; |
| wiphy->bands[NL80211_BAND_2GHZ] = |
| &adapter->sbands[NL80211_BAND_2GHZ]; |
| if (common->num_supp_bands > 1) { |
| - rsi_register_rates_channels(adapter, NL80211_BAND_5GHZ); |
| + status = rsi_register_rates_channels(adapter, |
| + NL80211_BAND_5GHZ); |
| + if (status) |
| + return status; |
| wiphy->bands[NL80211_BAND_5GHZ] = |
| &adapter->sbands[NL80211_BAND_5GHZ]; |
| } |
| -- |
| 2.20.1 |
| |