From: Victor Goldenshtein Date: Tue, 17 Sep 2013 15:41:25 +0000 (+0300) Subject: wlcore: fix unsafe dereference of the wlvif X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=bf9d5d28aabc6e420a0b6fb3a24b93046878e864;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git wlcore: fix unsafe dereference of the wlvif wlvif could be passed as NULL from the wlcore_tx_work_locked() to the wl1271_prepare_tx_frame() and to wl1271_skb_queue_head() functions. This may lead to a Kernel panic, fix this by validating that wlvif != NULL. Signed-off-by: Victor Goldenshtein Signed-off-by: Eliad Peller Signed-off-by: Luciano Coelho --- diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c index 03249da9703a..87cd707affa2 100644 --- a/drivers/net/wireless/ti/wlcore/tx.c +++ b/drivers/net/wireless/ti/wlcore/tx.c @@ -401,7 +401,7 @@ static int wl1271_prepare_tx_frame(struct wl1271 *wl, struct wl12xx_vif *wlvif, is_wep = (cipher == WLAN_CIPHER_SUITE_WEP40) || (cipher == WLAN_CIPHER_SUITE_WEP104); - if (WARN_ON(is_wep && wlvif->default_key != idx)) { + if (WARN_ON(is_wep && wlvif && wlvif->default_key != idx)) { ret = wl1271_set_default_wep_key(wl, wlvif, idx); if (ret < 0) return ret;