wifi: mwifiex: avoid possible NULL skb pointer dereference

[ Upstream commit 35a7a1ce7c7d61664ee54f5239a1f120ab95a87e ]

In 'mwifiex_handle_uap_rx_forward()', always check the value
returned by 'skb_copy()' to avoid potential NULL pointer
dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop
original skb in case of copying failure.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling")
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
index 90c07722c25f8af189e89561dadb0cd61ffc975f..a887d7a9b7c0385adba35d2fd5ec7f4de8736303 100644 (file)
--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
+++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c
@@ -266,7 +266,15 @@ int mwifiex_handle_uap_rx_forward(struct mwifiex_private *priv,
 
        if (is_multicast_ether_addr(ra)) {
                skb_uap = skb_copy(skb, GFP_ATOMIC);
-               mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
+               if (likely(skb_uap)) {
+                       mwifiex_uap_queue_bridged_pkt(priv, skb_uap);
+               } else {
+                       mwifiex_dbg(adapter, ERROR,
+                                   "failed to copy skb for uAP\n");
+                       priv->stats.rx_dropped++;
+                       dev_kfree_skb_any(skb);
+                       return -1;
+               }
        } else {
                if (mwifiex_get_sta_entry(priv, ra)) {
                        /* Requeue Intra-BSS packet */