From patchwork Mon Aug 14 09:49:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Antipov X-Patchwork-Id: 714375 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 656F5C41513 for ; Mon, 14 Aug 2023 09:52:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233576AbjHNJvc (ORCPT ); Mon, 14 Aug 2023 05:51:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233056AbjHNJvS (ORCPT ); Mon, 14 Aug 2023 05:51:18 -0400 Received: from forward100c.mail.yandex.net (forward100c.mail.yandex.net [178.154.239.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1409DCC for ; Mon, 14 Aug 2023 02:51:16 -0700 (PDT) Received: from mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net [IPv6:2a02:6b8:c14:150a:0:640:1aa5:0]) by forward100c.mail.yandex.net (Yandex) with ESMTP id D6814600C7; Mon, 14 Aug 2023 12:50:43 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id goaTXXsWva60-YergxtIm; Mon, 14 Aug 2023 12:50:43 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1692006643; bh=uwfAbvzAJ5mCxRt7nF4g41PPpuoNNWHBYhB7JxSEVUE=; h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From; b=sAABRhJFrnuotIa295XkEQObo72nyZn9MEzUhjTF9IX9HBRtzqUTgrUuzdQ9Bj5+L ada17h3vad8DJ6+0ObVuoV5heiX44xbkIVGnSC6SMphSOouORTXjxCJgjpSsdbinzY D5r6BbwfNZqpvgf8luM+waO8t9PkTSmrK0fklAMk= Authentication-Results: mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru From: Dmitry Antipov To: Brian Norris Cc: Kalle Valo , linux-wireless@vger.kernel.org, lvc-project@linuxtesting.org, Dmitry Antipov Subject: [PATCH] [v2] wifi: mwifiex: avoid possible NULL skb pointer dereference Date: Mon, 14 Aug 2023 12:49:57 +0300 Message-ID: <20230814095041.16416-1-dmantipov@yandex.ru> X-Mailer: git-send-email 2.41.0 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In 'mwifiex_handle_uap_rx_forward()', always check the value returned by 'skb_copy()' to avoid potential NULL pointer dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop original skb in case of copying failure. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") Acked-by: Brian Norris Signed-off-by: Dmitry Antipov --- v2: increment RX drop count rather than TX one (Brian Norris) --- drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c index 04ff051f5d18..a8a9986102a2 100644 --- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c @@ -252,7 +252,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv, if (is_multicast_ether_addr(ra)) { skb_uap = skb_copy(skb, GFP_ATOMIC); - mwifiex_uap_queue_bridged_pkt(priv, skb_uap); + if (likely(skb_uap)) { + mwifiex_uap_queue_bridged_pkt(priv, skb_uap); + } else { + mwifiex_dbg(adapter, ERROR, + "failed to copy skb for uAP\n"); + priv->stats.rx_dropped++; + dev_kfree_skb_any(skb); + return -1; + } } else { if (mwifiex_get_sta_entry(priv, ra)) { /* Requeue Intra-BSS packet */