wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()

Matvey Kovalev · gregkh · commit 1f52119809b7 · 2025-10-06T11:17:52.000+02:00
commit 3fd2ef2 upstream. If ab->fw.m3_data points to data, then fw pointer remains null. Further, if m3_mem is not allocated, then fw is dereferenced to be passed to ath11k_err function. Replace fw->size by m3_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 7db88b9 ("wifi: ath11k: add firmware-2.bin support") Cc: stable@vger.kernel.org Signed-off-by: Matvey Kovalev <matvey.kovalev@ispras.ru> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/net/wireless/ath/ath11k/qmi.c b/drivers/net/wireless/ath/ath11k/qmi.c
@@ -2550,7 +2550,7 @@ static int ath11k_qmi_m3_load(struct ath11k_base *ab)
 					   GFP_KERNEL);
 	if (!m3_mem->vaddr) {
 		ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n",
-			   fw->size);
+			   m3_len);
 		ret = -ENOMEM;
 		goto out;
 	}

Original file line number	Diff line number	Diff line change
`@@ -2550,7 +2550,7 @@ static int ath11k_qmi_m3_load(struct ath11k_base *ab)`
`2550`	`2550`	`GFP_KERNEL);`
`2551`	`2551`	`if (!m3_mem->vaddr) {`
`2552`	`2552`	`ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n",`
`2553`		`- fw->size);`
	`2553`	`+ m3_len);`
`2554`	`2554`	`ret = -ENOMEM;`
`2555`	`2555`	`goto out;`
`2556`	`2556`	`}`