Patch "wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Tue, 20 Aug 2024 08:02:07 -0400

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-check-for-kmemdup-return-value-in-iwl_p.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 66bd0c760760e5454737e67b9fb11089fb9cc85b
Author: Dmitry Antipov <dmantipov@xxxxxxxxx>
Date:   Mon Oct 9 20:04:49 2023 +0300

    wifi: iwlwifi: check for kmemdup() return value in iwl_parse_tlv_firmware()
    
    [ Upstream commit 3c8aaaa7557b1e33e6ef95a27a5d8a139dcd0874 ]
    
    In 'iwl_parse_tlv_firmware()', check for 'kmemdup()' return value
    when handling IWL_UCODE_TLV_CURRENT_PC and set the number of parsed
    entries only if an allocation was successful (just like it does with
    handling IWL_UCODE_TLV_CMD_VERSIONS above). Compile tested only.
    
    Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
    Acked-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20231009170453.149905-1-dmantipov@xxxxxxxxx
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index a56593b6135f6..47bea1855e8c8 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -1304,10 +1304,12 @@ static int iwl_parse_tlv_firmware(struct iwl_drv *drv,
 		case IWL_UCODE_TLV_CURRENT_PC:
 			if (tlv_len < sizeof(struct iwl_pc_data))
 				goto invalid_tlv_len;
-			drv->trans->dbg.num_pc =
-				tlv_len / sizeof(struct iwl_pc_data);
 			drv->trans->dbg.pc_data =
 				kmemdup(tlv_data, tlv_len, GFP_KERNEL);
+			if (!drv->trans->dbg.pc_data)
+				return -ENOMEM;
+			drv->trans->dbg.num_pc =
+				tlv_len / sizeof(struct iwl_pc_data);
 			break;
 		default:
 			IWL_DEBUG_INFO(drv, "unknown TLV: %d\n", tlv_type);







