From: Johannes Berg <johannes.berg@xxxxxxxxx> We shouldn't kmemdup() more data than we have, that might cause the code to crash. Fix that by updating the length before the kmemdup. Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx> --- drivers/net/wireless/intel/iwlwifi/fw/pnvm.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c index dde22bdc8703..9b0eee53488a 100644 --- a/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c +++ b/drivers/net/wireless/intel/iwlwifi/fw/pnvm.c @@ -284,16 +284,15 @@ int iwl_pnvm_load(struct iwl_trans *trans, /* First attempt to get the PNVM from BIOS */ package = iwl_uefi_get_pnvm(trans, &len); if (!IS_ERR_OR_NULL(package)) { + /* we need only the data */ + len -= sizeof(*package); data = kmemdup(package->data, len, GFP_KERNEL); /* free package regardless of whether kmemdup succeeded */ kfree(package); - if (data) { - /* we need only the data size */ - len -= sizeof(*package); + if (data) goto parse; - } } /* If it's not available, try from the filesystem */ -- 2.33.0