Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp2455471rdg;
        Mon, 14 Aug 2023 03:12:18 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFZFm/C6FHmpvkFsUcc1+GCIhZ0a4DMC09qtEtyq3tr8SnxVygmbb1r5dHZMmk9Og9K6y82
X-Received: by 2002:a05:6a20:1052:b0:12f:dc31:a71e with SMTP id gt18-20020a056a20105200b0012fdc31a71emr9590381pzc.56.1692007938347;
        Mon, 14 Aug 2023 03:12:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1692007938; cv=none;
        d=google.com; s=arc-20160816;
        b=k0pnuYt2WrO57Wm8FXD5zVehftDM+wciyPvc96HbdjQpKSIBPwl+N/34eEJ2U4CU29
         vZkYioUOqMd8MsQoTILRbRWaUr0rTBDxdPLofwMj8paFGvqgC8XEJzsjt7C4a+2yaC3i
         +ccAdS27qMod9rGa1ogASj6uMuIoWefe4aUivs6wKACEBp/6K7u74IYoWpplr288ZUXC
         xukg26xgDs3c1E3zvHAKE4/E44RfeAJWJZoV5y/VdUKTtabP8IRBSUzMotzpr4h/AJDN
         DTVbeWvKvorN9qTBukLEvzNY0BkkUpfpiV2jcvPI3Xbt9asXanuVFbVsSUehOmOGM4JK
         8lVQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=uwfAbvzAJ5mCxRt7nF4g41PPpuoNNWHBYhB7JxSEVUE=;
        fh=qNTNQJCwXPXlkhMjfcbW5RmVTNlOQmtiwNfLT5XSKFo=;
        b=kOKUoU8c4VbnGq4rawAang9LY+MuGILuLzJw2pR4h3dQY5hI979mW0gF45BOX0+ZWX
         nfFRxzssec24RbqkxysW7gm1xnk0Av2wZq1NXhw0stJQRqjjv4vp0sMlc1JMhceXcF5u
         AWaRkrGA/ESCejJgMF1PvGV2zwuWDXr+5LkwhBMh4saivRRMhsS+eaIbVH+YvleqYKMn
         ZdPNTgpAyp8C+vG6GDX2NTTr44kxaJgtoAhuRV/t7ifen24BHM2iM6f6xkCp9yWALS0t
         2qGxiyFC1pTEmudWJ9AnU6gGs+UA+rQLX4rwmSI8KemQ+DSRe39cJPrTPJcpa558S0Nu
         4fLQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@yandex.ru header.s=mail header.b=sAABRhJF;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id az1-20020a056a02004100b0053f265b0eecsi7686276pgb.133.2023.08.14.03.12.11;
        Mon, 14 Aug 2023 03:12:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@yandex.ru header.s=mail header.b=sAABRhJF;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=yandex.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233576AbjHNJvc (ORCPT <rfc822;pigworlds@gmail.com> + 54 others);
        Mon, 14 Aug 2023 05:51:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57084 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233056AbjHNJvS (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 14 Aug 2023 05:51:18 -0400
Received: from forward100c.mail.yandex.net (forward100c.mail.yandex.net [178.154.239.211])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1409DCC
        for <linux-wireless@vger.kernel.org>; Mon, 14 Aug 2023 02:51:16 -0700 (PDT)
Received: from mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net [IPv6:2a02:6b8:c14:150a:0:640:1aa5:0])
        by forward100c.mail.yandex.net (Yandex) with ESMTP id D6814600C7;
        Mon, 14 Aug 2023 12:50:43 +0300 (MSK)
Received: by mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id goaTXXsWva60-YergxtIm;
        Mon, 14 Aug 2023 12:50:43 +0300
X-Yandex-Fwd: 1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1692006643;
        bh=uwfAbvzAJ5mCxRt7nF4g41PPpuoNNWHBYhB7JxSEVUE=;
        h=Message-ID:Date:In-Reply-To:Cc:Subject:References:To:From;
        b=sAABRhJFrnuotIa295XkEQObo72nyZn9MEzUhjTF9IX9HBRtzqUTgrUuzdQ9Bj5+L
         ada17h3vad8DJ6+0ObVuoV5heiX44xbkIVGnSC6SMphSOouORTXjxCJgjpSsdbinzY
         D5r6BbwfNZqpvgf8luM+waO8t9PkTSmrK0fklAMk=
Authentication-Results: mail-nwsmtp-smtp-production-main-60.sas.yp-c.yandex.net; dkim=pass header.i=@yandex.ru
From:   Dmitry Antipov <dmantipov@yandex.ru>
To:     Brian Norris <briannorris@chromium.org>
Cc:     Kalle Valo <kvalo@kernel.org>, linux-wireless@vger.kernel.org,
        lvc-project@linuxtesting.org, Dmitry Antipov <dmantipov@yandex.ru>
Subject: [PATCH] [v2] wifi: mwifiex: avoid possible NULL skb pointer dereference
Date:   Mon, 14 Aug 2023 12:49:57 +0300
Message-ID: <20230814095041.16416-1-dmantipov@yandex.ru>
X-Mailer: git-send-email 2.41.0
In-Reply-To: <ZNKhb2lgSmfEqqsW@google.com>
References: <ZNKhb2lgSmfEqqsW@google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
        RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

In 'mwifiex_handle_uap_rx_forward()', always check the value
returned by 'skb_copy()' to avoid potential NULL pointer
dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
original skb in case of copying failure.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling")
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
v2: increment RX drop count rather than TX one (Brian Norris)
---
 drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
index 04ff051f5d18..a8a9986102a2 100644
--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
@@ -252,7 +252,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
 
 	if (is_multicast_ether_addr(ra)) {
 		skb_uap = skb_copy(skb, GFP_ATOMIC);
-		mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
+		if (likely(skb_uap)) {
+			mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
+		} else {
+			mwifiex_dbg(adapter, ERROR,
+				    "failed to copy skb for uAP\n");
+			priv->stats.rx_dropped++;
+			dev_kfree_skb_any(skb);
+			return -1;
+		}
 	} else {
 		if (mwifiex_get_sta_entry(priv, ra)) {
 			/* Requeue Intra-BSS packet */
-- 
2.41.0