]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
ath10k: add missing error handling
authorClaire Chang <tientzu@chromium.org>
Thu, 23 May 2019 07:15:34 +0000 (15:15 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 31 Jul 2019 05:28:29 +0000 (07:28 +0200)
[ Upstream commit 4b553f3ca4cbde67399aa3a756c37eb92145b8a1 ]

In function ath10k_sdio_mbox_rx_alloc() [sdio.c],
ath10k_sdio_mbox_alloc_rx_pkt() is called without handling the error cases.
This will make the driver think the allocation for skb is successful and
try to access the skb. If we enable failslab, system will easily crash with
NULL pointer dereferencing.

Call trace of CONFIG_FAILSLAB:
ath10k_sdio_irq_handler+0x570/0xa88 [ath10k_sdio]
process_sdio_pending_irqs+0x4c/0x174
sdio_run_irqs+0x3c/0x64
sdio_irq_work+0x1c/0x28

Fixes: d96db25d2025 ("ath10k: add initial SDIO support")
Signed-off-by: Claire Chang <tientzu@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/net/wireless/ath/ath10k/sdio.c

index da9dbf3ddaa5e5ec2c5c072641bc8d5cb963f7f4..c6440d28ab48ea73879ca38a04b8370f5a92a30a 100644 (file)
@@ -610,6 +610,10 @@ static int ath10k_sdio_mbox_rx_alloc(struct ath10k *ar,
                                                    full_len,
                                                    last_in_bundle,
                                                    last_in_bundle);
+               if (ret) {
+                       ath10k_warn(ar, "alloc_rx_pkt error %d\n", ret);
+                       goto err;
+               }
        }
 
        ar_sdio->n_rx_pkts = i;