Commit 3fd2ef2a authored by Matvey Kovalev's avatar Matvey Kovalev Committed by Jeff Johnson
Browse files

wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() 



If ab->fw.m3_data points to data, then fw pointer remains null.
Further, if m3_mem is not allocated, then fw is dereferenced to be
passed to ath11k_err function.

Replace fw->size by m3_len.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 7db88b96 ("wifi: ath11k: add firmware-2.bin support")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarMatvey Kovalev <matvey.kovalev@ispras.ru>
Reviewed-by: default avatarBaochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: default avatarVasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru


Signed-off-by: default avatarJeff Johnson <jeff.johnson@oss.qualcomm.com>
parent 900730dc

drivers/net/wireless/ath/ath11k/qmi.c

+1 −1
Original line number Diff line number Diff line
@@ -2548,7 +2548,7 @@ static int ath11k_qmi_m3_load(struct ath11k_base *ab) 
					   GFP_KERNEL);

	if (!m3_mem->vaddr) {

		ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n",

			   fw->size);

			   m3_len);

		ret = -ENOMEM;

		goto out;

	}