From: Colin Ian King Date: Mon, 28 Oct 2013 12:58:12 +0000 (+0000) Subject: rtlwifi: fix null dereference on efuse_word on kmalloc fail returns NULL X-Git-Tag: v4.14-rc1~8512^2~6^2^2~29 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=450991fd2f9d362562c69b2e70832b2ecb7624cb;p=platform%2Fkernel%2Flinux-rpi.git rtlwifi: fix null dereference on efuse_word on kmalloc fail returns NULL kmalloc on efuse_word can return null, leading to free'ing of elements in efuse_word on the error exit path even though it has not been allocated. Instead, don't free the elements of efuse_word if kmalloc failed. Also, kmalloc of any of the arrays in efuse_word[] can also fail, leading to undefined contents in the remaining elements leading to problems when free'ing these elements later on. So kzalloc efuse_word to ensure the kfree on the remaining elements won't cause breakage. Signed-off-by: Colin Ian King Signed-off-by: John W. Linville --- diff --git a/drivers/net/wireless/rtlwifi/efuse.c b/drivers/net/wireless/rtlwifi/efuse.c index ae13fb9..2ffc729 100644 --- a/drivers/net/wireless/rtlwifi/efuse.c +++ b/drivers/net/wireless/rtlwifi/efuse.c @@ -262,9 +262,9 @@ void read_efuse(struct ieee80211_hw *hw, u16 _offset, u16 _size_byte, u8 *pbuf) sizeof(u8), GFP_ATOMIC); if (!efuse_tbl) return; - efuse_word = kmalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC); + efuse_word = kzalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC); if (!efuse_word) - goto done; + goto out; for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { efuse_word[i] = kmalloc(efuse_max_section * sizeof(u16), GFP_ATOMIC); @@ -378,6 +378,7 @@ done: for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) kfree(efuse_word[i]); kfree(efuse_word); +out: kfree(efuse_tbl); }