rtlwifi: fix null dereference on efuse_word on kmalloc fail returns NULL

kmalloc on efuse_word can return null, leading to free'ing of elements in efuse_word on the error exit path even though it has not been allocated. Instead, don't free the elements of efuse_word if kmalloc failed. Also, kmalloc of any of the arrays in efuse_word[] can also fail, leading to undefined contents in the remaining elements leading to problems when free'ing these elements later on. So kzalloc efuse_word to ensure the kfree on the remaining elements won't cause breakage. Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
mariux64 · Nov 11, 2013 · 450991f · 450991f
1 parent 01c85ad
commit 450991f
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/drivers/net/wireless/rtlwifi/efuse.c b/drivers/net/wireless/rtlwifi/efuse.c
@@ -262,9 +262,9 @@ void read_efuse(struct ieee80211_hw *hw, u16 _offset, u16 _size_byte, u8 *pbuf)
 			    sizeof(u8), GFP_ATOMIC);
 	if (!efuse_tbl)
 		return;
-	efuse_word = kmalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC);
+	efuse_word = kzalloc(EFUSE_MAX_WORD_UNIT * sizeof(u16 *), GFP_ATOMIC);
 	if (!efuse_word)
-		goto done;
+		goto out;
 	for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) {
 		efuse_word[i] = kmalloc(efuse_max_section * sizeof(u16),
 					GFP_ATOMIC);
@@ -378,6 +378,7 @@ void read_efuse(struct ieee80211_hw *hw, u16 _offset, u16 _size_byte, u8 *pbuf)
 	for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++)
 		kfree(efuse_word[i]);
 	kfree(efuse_word);
+out:
 	kfree(efuse_tbl);
 }