Ganapathi Bhat <gbhat@xxxxxxxxxxx> writes: > From: Sharvari Harisangam <sharvari@xxxxxxxxxxx> > > mwifiex_pcie_fw_dump would read firmware scratch registers, to > get the size of the dump. It does a vmalloc of memory_size + 1, > read above, to save the dump. It is possible that the value read > by memory_size scratch register be invalid, i.e 0xffffffff. This > would pass an invalid size(0) to vmalloc. To fix this check for > invalid scratch register read. > > Signed-off-by: Sharvari Harisangam <sharvari@xxxxxxxxxxx> > Signed-off-by: Ganapathi Bhat <gbhat@xxxxxxxxxxx> > --- > drivers/net/wireless/marvell/mwifiex/pcie.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/net/wireless/marvell/mwifiex/pcie.c b/drivers/net/wireless/marvell/mwifiex/pcie.c > index fc1706d..483b521 100644 > --- a/drivers/net/wireless/marvell/mwifiex/pcie.c > +++ b/drivers/net/wireless/marvell/mwifiex/pcie.c > @@ -2727,6 +2727,13 @@ static void mwifiex_pcie_fw_dump(struct mwifiex_adapter *adapter) > break; > } > > + if (memory_size == 0xffffffff) { > + mwifiex_dbg(adapter, ERROR, > + "Invalid dump size: 0x%x, for %s\n", > + memory_size, entry->mem_name); > + return; > + } > + > mwifiex_dbg(adapter, DUMP, > "%s_SIZE=0x%x\n", entry->mem_name, memory_size); > entry->mem_ptr = vmalloc(memory_size + 1); So 0xfffffffe would be a valid length for vmalloc()? I doubt that :) A proper fix would be to add a reasonable maximum for memory_size and return if it's anything bigger than the limit. Never trust the firmware. -- https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches