LinuxLists.cc - [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug

2024-05-13 14:36:03

Subject: [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug

Function mt7615_coredump_work will call vzalloc to allocate a large amount
of memory space, the size of which is 1300KB. There should be a null
pointer check after vzalloc. Otherwise, when the memory allocation fails
and returns NULL, the function will cause kernel crash.

Fixes: de791098459d ("wifi: mt76: mt7615: fix null pointer dereference bug")
Signed-off-by: Sicong Huang <[email protected]>
---
drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
index 7ba789834e8d..04eb52904520 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
@@ -2341,6 +2341,9 @@ void mt7615_coredump_work(struct work_struct *work)
}

dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
+ if(!dump)
+ return;
+
data = dump;

while (true) {
--
2.34.1

2024-05-13 16:13:18

by Lorenzo Bianconi

[permalink] [raw]

Subject: Re: [PATCH v1] wifi: mt76: mt7615: fix null pointer dereference bug

> Function mt7615_coredump_work will call vzalloc to allocate a large amount
> of memory space, the size of which is 1300KB. There should be a null
> pointer check after vzalloc. Otherwise, when the memory allocation fails
> and returns NULL, the function will cause kernel crash.
>
> Fixes: de791098459d ("wifi: mt76: mt7615: fix null pointer dereference bug")
> Signed-off-by: Sicong Huang <[email protected]>
> ---
> drivers/net/wireless/mediatek/mt76/mt7615/mac.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> index 7ba789834e8d..04eb52904520 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mac.c
> @@ -2341,6 +2341,9 @@ void mt7615_coredump_work(struct work_struct *work)
> }
>
> dump = vzalloc(MT76_CONNAC_COREDUMP_SZ);
> + if(!dump)
> + return;
> +
> data = dump;
>
> while (true) {
> --
> 2.34.1

I guess the kernel will not crash here since we check the dump pointer in the
while loop, we will just flush the msg_list queue.

Regards,
Lorenzo

Attachments:

(No filename) (1.15 kB)
signature.asc (235.00 B)
Download all attachments