From patchwork Thu Jun 16 13:22:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Amitkumar Karwar <akarwar@marvell.com>
X-Patchwork-Id: 9180805
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	6ACD660760 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 16 Jun 2016 13:23:53 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5A44E2835D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 16 Jun 2016 13:23:53 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4EB5F2836B; Thu, 16 Jun 2016 13:23:53 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC9882835D
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 16 Jun 2016 13:23:52 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754196AbcFPNXu (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Thu, 16 Jun 2016 09:23:50 -0400
Received: from mx0b-0016f401.pphosted.com ([67.231.156.173]:61667 "EHLO
	mx0b-0016f401.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752339AbcFPNXu (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 16 Jun 2016 09:23:50 -0400
Received: from pps.filterd (m0045851.ppops.net [127.0.0.1])
	by mx0b-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id
	u5GDM9Ra019733
	for <linux-wireless@vger.kernel.org>; Thu, 16 Jun 2016 06:23:49 -0700
Received: from sc-exch04.marvell.com ([199.233.58.184])
	by mx0b-0016f401.pphosted.com with ESMTP id 23gj5fs01c-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT)
	for <linux-wireless@vger.kernel.org>; Thu, 16 Jun 2016 06:23:49 -0700
Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH04.marvell.com
	(10.93.176.84) with Microsoft SMTP Server (TLS) id 15.0.1104.5;
	Thu, 16 Jun 2016 06:23:47 -0700
Received: from maili.marvell.com (10.93.176.43) by SC-EXCH03.marvell.com
	(10.93.176.83) with Microsoft SMTP Server id 15.0.1104.5 via Frontend
	Transport; Thu, 16 Jun 2016 06:23:47 -0700
Received: from pe-lt949 (unknown [10.31.130.198])
	by maili.marvell.com (Postfix) with ESMTP id 279583F703F;
	Thu, 16 Jun 2016 06:23:46 -0700 (PDT)
Received: from pe-lt949 (localhost [127.0.0.1])
	by pe-lt949 (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id
	u5GDNUrl018639; Thu, 16 Jun 2016 18:53:31 +0530
Received: (from root@localhost)
	by pe-lt949 (8.14.4/8.14.4/Submit) id u5GDNTvl018638;
	Thu, 16 Jun 2016 18:53:29 +0530
From: Amitkumar Karwar <akarwar@marvell.com>
To: <linux-wireless@vger.kernel.org>
CC: Nishant Sarmukadam <nishants@marvell.com>, Cathy Luo <cluo@marvell.com>,
	Ganapathi Bhat <gbhat@marvell.com>,
	Amitkumar Karwar <akarwar@marvell.com>
Subject: [PATCH 1/6] mwifiex: Fix an issue spotted by KASAN
Date: Thu, 16 Jun 2016 18:52:21 +0530
Message-ID: <1466083346-18607-1-git-send-email-akarwar@marvell.com>
X-Mailer: git-send-email 1.9.1
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2016-06-16_06:, , signatures=0
X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0
	spamscore=0 suspectscore=1
	malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
	adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000
	definitions=main-1606160148
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Ganapathi Bhat <gbhat@marvell.com>

When an association command is sent to firmware but the process is
killed before the command response arrives, driver will try to
access bss_desc which is already freed. This issue is fixed by
checking return value of bss_start.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
---
 drivers/net/wireless/marvell/mwifiex/join.c      | 12 ++++++++++++
 drivers/net/wireless/marvell/mwifiex/sta_ioctl.c |  4 ++++
 2 files changed, 16 insertions(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
index a4b773d..1c7b006 100644
--- a/drivers/net/wireless/marvell/mwifiex/join.c
+++ b/drivers/net/wireless/marvell/mwifiex/join.c
@@ -647,6 +647,12 @@ int mwifiex_ret_802_11_associate(struct mwifiex_private *priv,
 	const u8 *ie_ptr;
 	struct ieee80211_ht_operation *assoc_resp_ht_oper;
 
+	if (!priv->attempted_bss_desc) {
+		mwifiex_dbg(priv->adapter, ERROR,
+			    "ASSOC_RESP: failed, association terminated by host\n");
+		goto done;
+	}
+
 	assoc_rsp = (struct ieee_types_assoc_rsp *) &resp->params;
 
 	cap_info = le16_to_cpu(assoc_rsp->cap_info_bitmap);
@@ -1270,6 +1276,12 @@ int mwifiex_ret_802_11_ad_hoc(struct mwifiex_private *priv,
 	u16 cmd = le16_to_cpu(resp->command);
 	u8 result;
 
+	if (!priv->attempted_bss_desc) {
+		mwifiex_dbg(priv->adapter, ERROR,
+			    "ADHOC_RESP: failed, association terminated by host\n");
+		goto done;
+	}
+
 	if (cmd == HostCmd_CMD_802_11_AD_HOC_START)
 		result = start_result->result;
 	else
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
index 8e08626..2ba5397 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c
@@ -426,6 +426,10 @@ done:
 	if (bss_desc)
 		kfree(bss_desc->beacon_buf);
 	kfree(bss_desc);
+
+	if (ret < 0)
+		priv->attempted_bss_desc = NULL;
+
 	return ret;
 }