projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 08aba42)
mwifiex: Fix an issue spotted by KASAN
authorGanapathi Bhat <gbhat@marvell.com>
Thu, 16 Jun 2016 13:22:21 +0000 (18:52 +0530)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 29 Jun 2016 15:53:59 +0000 (18:53 +0300)
When an association command is sent to firmware but the process is
killed before the command response arrives, driver will try to
access bss_desc which is already freed. This issue is fixed by
checking return value of bss_start.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/marvell/mwifiex/join.c patch | blob | blame | history
drivers/net/wireless/marvell/mwifiex/sta_ioctl.c patch | blob | blame | history

diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
index a4b773d102b37eaa8376f17c84eb73be77df7567..1c7b00630b90aafb618edf66a5872b7fe1ba167b 100644 (file)
--- a/drivers/net/wireless/marvell/mwifiex/join.c
+++ b/drivers/net/wireless/marvell/mwifiex/join.c
@@ -647,6 +647,12 @@ int mwifiex_ret_802_11_associate(struct mwifiex_private *priv,
        const u8 *ie_ptr;
        struct ieee80211_ht_operation *assoc_resp_ht_oper;
 
+       if (!priv->attempted_bss_desc) {
+               mwifiex_dbg(priv->adapter, ERROR,
+                           "ASSOC_RESP: failed, association terminated by host\n");
+               goto done;
+       }
+
        assoc_rsp = (struct ieee_types_assoc_rsp *) &resp->params;
 
        cap_info = le16_to_cpu(assoc_rsp->cap_info_bitmap);
@@ -1270,6 +1276,12 @@ int mwifiex_ret_802_11_ad_hoc(struct mwifiex_private *priv,
        u16 cmd = le16_to_cpu(resp->command);
        u8 result;
 
+       if (!priv->attempted_bss_desc) {
+               mwifiex_dbg(priv->adapter, ERROR,
+                           "ADHOC_RESP: failed, association terminated by host\n");
+               goto done;
+       }
+
        if (cmd == HostCmd_CMD_802_11_AD_HOC_START)
                result = start_result->result;
        else
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 8e0862657122a412abc76c86ce140f5ec0853b4b..2ba5397272e2148c731291d20c0d56373f225449 100644 (file)
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -426,6 +426,10 @@ done:
        if (bss_desc)
                kfree(bss_desc->beacon_buf);
        kfree(bss_desc);
+
+       if (ret < 0)
+               priv->attempted_bss_desc = NULL;
+
        return ret;
 }