rtw88: fix potential NULL pointer access for firmware

Message ID	20191105090442.8378-1-yhchuang@realtek.com (mailing list archive)
State	Accepted
Commit	f530c1961af27f68a009b5fa532a4ed14f9c0e8c
Delegated to:	Kalle Valo
Headers	show Return-Path: <SRS0=b/BL=Y5=vger.kernel.org=linux-wireless-owner@kernel.org> Authenticated-By: X-SpamFilter-By: BOX Solutions SpamTrap 5.62 with qID xA594jvo004848, This message is accepted by code: ctloc85258 From: <yhchuang@realtek.com> To: <kvalo@codeaurora.org> CC: <dan.carpenter@oracle.com>, <linux-wireless@vger.kernel.org> Subject: [PATCH] rtw88: fix potential NULL pointer access for firmware Date: Tue, 5 Nov 2019 17:04:42 +0800 Message-ID: <20191105090442.8378-1-yhchuang@realtek.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk
Series	rtw88: fix potential NULL pointer access for firmware \| expand rtw88: fix potential NULL pointer access for firmware

Message ID

20191105090442.8378-1-yhchuang@realtek.com (mailing list archive)

State

Accepted

Commit

f530c1961af27f68a009b5fa532a4ed14f9c0e8c

Delegated to:

Kalle Valo

Headers

show

Return-Path: <SRS0=b/BL=Y5=vger.kernel.org=linux-wireless-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3DC531599
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Tue,  5 Nov 2019 09:06:09 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 26CD720869
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Tue,  5 Nov 2019 09:06:09 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730592AbfKEJGI (ORCPT
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
        Tue, 5 Nov 2019 04:06:08 -0500
Received: from rtits2.realtek.com ([211.75.126.72]:39359 "EHLO
        rtits2.realtek.com.tw" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727095AbfKEJGI (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 5 Nov 2019 04:06:08 -0500
Authenticated-By: 
X-SpamFilter-By: BOX Solutions SpamTrap 5.62 with qID xA594jvo004848,
 This message is accepted by code: ctloc85258
Received: from mail.realtek.com (RTITCASV01.realtek.com.tw[172.21.6.18])
        by rtits2.realtek.com.tw (8.15.2/2.57/5.78) with ESMTPS id
 xA594jvo004848
        (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
        Tue, 5 Nov 2019 17:04:45 +0800
Received: from localhost.localdomain (172.21.68.126) by
 RTITCASV01.realtek.com.tw (172.21.6.18) with Microsoft SMTP Server id
 14.3.468.0; Tue, 5 Nov 2019 17:04:45 +0800
From: <yhchuang@realtek.com>
To: <kvalo@codeaurora.org>
CC: <dan.carpenter@oracle.com>, <linux-wireless@vger.kernel.org>
Subject: [PATCH] rtw88: fix potential NULL pointer access for firmware
Date: Tue, 5 Nov 2019 17:04:42 +0800
Message-ID: <20191105090442.8378-1-yhchuang@realtek.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [172.21.68.126]
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

Series

rtw88: fix potential NULL pointer access for firmware | expand

Commit Message

Tony Chuang Nov. 5, 2019, 9:04 a.m. UTC

From: Yan-Hsuan Chuang <yhchuang@realtek.com>

Driver could access a NULL firmware pointer if we don't
return here.

Fixes: 5195b90426409 ("rtw88: avoid FW info flood")
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
---
 drivers/net/wireless/realtek/rtw88/main.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Kalle Valo Nov. 6, 2019, 5:58 p.m. UTC | #1

<yhchuang@realtek.com> wrote:

> From: Yan-Hsuan Chuang <yhchuang@realtek.com>
> 
> Driver could access a NULL firmware pointer if we don't
> return here.
> 
> Fixes: 5195b90426409 ("rtw88: avoid FW info flood")
> Reported-by: kbuild test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>

Patch applied to wireless-drivers-next.git, thanks.

f530c1961af2 rtw88: fix potential NULL pointer access for firmware

Brian Norris Nov. 6, 2019, 9:33 p.m. UTC | #2

On Tue, Nov 5, 2019 at 1:06 AM <yhchuang@realtek.com> wrote:
...
> Fixes: 5195b90426409 ("rtw88: avoid FW info flood")
...
> --- a/drivers/net/wireless/realtek/rtw88/main.c
> +++ b/drivers/net/wireless/realtek/rtw88/main.c
> @@ -1024,8 +1024,10 @@ static void rtw_load_firmware_cb(const struct firmware *firmware, void *context)
>         struct rtw_fw_state *fw = &rtwdev->fw;
>         const struct rtw_fw_hdr *fw_hdr;
>
> -       if (!firmware)
> +       if (!firmware || !firmware->data) {
>                 rtw_err(rtwdev, "failed to request firmware\n");

I think you still wanted 'complete_all()' here, otherwise your waiters
will hang forever. (They correctly check whether the firmware is NULL,
so that's not a problem there.)

I'll send a follow-up to the follow-up :)

Brian

> +               return;
> +       }

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 021668f1b74f..de82d08ea29e 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1024,8 +1024,10 @@  static void rtw_load_firmware_cb(const struct firmware *firmware, void *context)
 	struct rtw_fw_state *fw = &rtwdev->fw;
 	const struct rtw_fw_hdr *fw_hdr;
 
-	if (!firmware)
+	if (!firmware || !firmware->data) {
 		rtw_err(rtwdev, "failed to request firmware\n");
+		return;
+	}
 
 	fw_hdr = (const struct rtw_fw_hdr *)firmware->data;
 	fw->h2c_version = le16_to_cpu(fw_hdr->h2c_fmt_ver);