From: Pan Bian <[email protected]>
Function alloc_workqueue() will return a NULL pointer if there is no
enough memory, and its return value should be validated before using.
However, in function if_spi_probe(), its return value is not checked.
This may result in a NULL dereference bug. This patch fixes the bug.
Signed-off-by: Pan Bian <[email protected]>
---
drivers/net/wireless/marvell/libertas/if_spi.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/marvell/libertas/if_spi.c b/drivers/net/wireless/marvell/libertas/if_spi.c
index c3a53cd..7b4955c 100644
--- a/drivers/net/wireless/marvell/libertas/if_spi.c
+++ b/drivers/net/wireless/marvell/libertas/if_spi.c
@@ -1181,6 +1181,10 @@ static int if_spi_probe(struct spi_device *spi)
/* Initialize interrupt handling stuff. */
card->workqueue = alloc_workqueue("libertas_spi", WQ_MEM_RECLAIM, 0);
+ if (!card->workqueue) {
+ err = -ENOMEM;
+ goto remove_card;
+ }
INIT_WORK(&card->packet_work, if_spi_host_to_card_worker);
INIT_WORK(&card->resume_work, if_spi_resume_worker);
@@ -1209,6 +1213,7 @@ static int if_spi_probe(struct spi_device *spi)
free_irq(spi->irq, card);
terminate_workqueue:
destroy_workqueue(card->workqueue);
+remove_card:
lbs_remove_card(priv); /* will call free_netdev */
free_card:
free_if_spi_card(card);
--
1.9.1
Pan Bian <[email protected]> wrote:
> From: Pan Bian <[email protected]>
>
> Function alloc_workqueue() will return a NULL pointer if there is no
> enough memory, and its return value should be validated before using.
> However, in function if_spi_probe(), its return value is not checked.
> This may result in a NULL dereference bug. This patch fixes the bug.
>
> Signed-off-by: Pan Bian <[email protected]>
Patch applied to wireless-drivers-next.git, thanks.
dc3f89c38a84 libertas: check return value of alloc_workqueue
--
https://patchwork.kernel.org/patch/9694827/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches