Since 'ath11k_mac_get_ar_by_pdev_id()' can return NULL, check
the return value in 'ath11k_wmi_tlv_rssi_chain_parse()' as well
as in 'ath11k_wmi_tlv_fw_stats_data_parse()', and return -EINVAL
in case of error. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
---
v2: aggregate to the series
---
drivers/net/wireless/ath/ath11k/wmi.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
index 34ab9631ff36..2d93e4e78a37 100644
--- a/drivers/net/wireless/ath/ath11k/wmi.c
+++ b/drivers/net/wireless/ath/ath11k/wmi.c
@@ -6498,6 +6498,12 @@ static int ath11k_wmi_tlv_rssi_chain_parse(struct ath11k_base *ab,
rcu_read_lock();
ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id);
+ if (!ar) {
+ ath11k_warn(ab, "%s: invalid pdev_id %d\n",
+ __func__, ev->pdev_id);
+ ret = -EINVAL;
+ goto exit;
+ }
stats->stats_id = WMI_REQUEST_RSSI_PER_CHAIN_STAT;
ath11k_dbg(ab, ATH11K_DBG_WMI,
@@ -6570,6 +6576,12 @@ static int ath11k_wmi_tlv_fw_stats_data_parse(struct ath11k_base *ab,
rcu_read_lock();
ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id);
+ if (!ar) {
+ ath11k_warn(ab, "%s: invalid pdev_id %d\n",
+ __func__, ev->pdev_id);
+ ret = -EINVAL;
+ goto exit;
+ }
for (i = 0; i < ev->num_pdev_stats; i++) {
const struct wmi_pdev_stats *src;
--
2.44.0
