| Message ID | 20190311074347.32003-1-kjlu@umn.edu |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | David Miller |
| Headers | show |
| Series | net: mwifiex: fix a NULL pointer dereference | expand |
On Mon, Mar 11, 2019 at 02:43:47AM -0500, Kangjie Lu wrote: > In case dev_alloc_skb fails, the fix returns -ENOMEM to avoid > NULL pointer dereference. > > Signed-off-by: Kangjie Lu <kjlu@umn.edu> > --- > drivers/net/wireless/marvell/mwifiex/cmdevt.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/cmdevt.c b/drivers/net/wireless/marvell/mwifiex/cmdevt.c > index 60db2b969e20..5565f18039ab 100644 > --- a/drivers/net/wireless/marvell/mwifiex/cmdevt.c > +++ b/drivers/net/wireless/marvell/mwifiex/cmdevt.c > @@ -341,6 +341,12 @@ static int mwifiex_dnld_sleep_confirm_cmd(struct mwifiex_adapter *adapter) > sleep_cfm_tmp = > dev_alloc_skb(sizeof(struct mwifiex_opt_sleep_confirm) > + MWIFIEX_TYPE_LEN); > + if (!sleep_cfm_tmp) { > + mwifiex_dbg(adapter, ERROR, You have trailing whitespace. Please run your patches through scripts/checkpatch.pl. > + "SLEEP_CFM: dev_alloc_skb failed\n"); > + return -ENOMEM; It's not exactly a problem with your patch, but nobody really checks the return status of this function. I think in most (all?) cases, that's probably OK, because we also implicitly communicate the success/failure of this function by modifying the ->ps_state field (basically, a state machine). So this is probably OK. Other than the whitespace: Reviewed-by: Brian Norris <briannorris@chromium.org> > + } > + > skb_put(sleep_cfm_tmp, sizeof(struct mwifiex_opt_sleep_confirm) > + MWIFIEX_TYPE_LEN); > put_unaligned_le32(MWIFIEX_USB_TYPE_CMD, sleep_cfm_tmp->data); > -- > 2.17.1 >
diff --git a/drivers/net/wireless/marvell/mwifiex/cmdevt.c b/drivers/net/wireless/marvell/mwifiex/cmdevt.c index 60db2b969e20..5565f18039ab 100644 --- a/drivers/net/wireless/marvell/mwifiex/cmdevt.c +++ b/drivers/net/wireless/marvell/mwifiex/cmdevt.c @@ -341,6 +341,12 @@ static int mwifiex_dnld_sleep_confirm_cmd(struct mwifiex_adapter *adapter) sleep_cfm_tmp = dev_alloc_skb(sizeof(struct mwifiex_opt_sleep_confirm) + MWIFIEX_TYPE_LEN); + if (!sleep_cfm_tmp) { + mwifiex_dbg(adapter, ERROR, + "SLEEP_CFM: dev_alloc_skb failed\n"); + return -ENOMEM; + } + skb_put(sleep_cfm_tmp, sizeof(struct mwifiex_opt_sleep_confirm) + MWIFIEX_TYPE_LEN); put_unaligned_le32(MWIFIEX_USB_TYPE_CMD, sleep_cfm_tmp->data);
In case dev_alloc_skb fails, the fix returns -ENOMEM to avoid NULL pointer dereference. Signed-off-by: Kangjie Lu <kjlu@umn.edu> --- drivers/net/wireless/marvell/mwifiex/cmdevt.c | 6 ++++++ 1 file changed, 6 insertions(+)