Commit dcf55e32 authored Mar 13, 2025 by Barnabás Czémán Committed by Xiongfeng Wang Mar 13, 2025

wifi: wcn36xx: fix channel survey memory allocation size

stable inclusion
from stable-v6.6.76
commit e95f9c408ff8311f75eeabc8acf34a66670d8815
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPBLV
CVE: CVE-2024-57997

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e95f9c408ff8311f75eeabc8acf34a66670d8815



--------------------------------

[ Upstream commit 6200d947f050efdba4090dfefd8a01981363d954 ]

KASAN reported a memory allocation issue in wcn->chan_survey
due to incorrect size calculation.
This commit uses kcalloc to allocate memory for wcn->chan_survey,
ensuring proper initialization and preventing the use of uninitialized
values when there are no frames on the channel.

Fixes: 29696e0a ("wcn36xx: Track SNR and RSSI for each RX frame")
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Acked-by: Loic Poulain <loic.poulain@linaro.org>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Link: https://patch.msgid.link/20241104-wcn36xx-memory-allocation-v1-1-5ec901cf37b6@mainlining.org


Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: ZhangPeng <zhangpeng362@huawei.com>
Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>

parent cc10030e

drivers/net/wireless/ath/wcn36xx/main.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -1586,7 +1586,10 @@ static int wcn36xx_probe(struct platform_device *pdev)
		}

		n_channels = wcn_band_2ghz.n_channels + wcn_band_5ghz.n_channels;
		wcn->chan_survey = devm_kmalloc(wcn->dev, n_channels, GFP_KERNEL);
		wcn->chan_survey = devm_kcalloc(wcn->dev,
		n_channels,
		sizeof(struct wcn36xx_chan_survey),
		GFP_KERNEL);
		if (!wcn->chan_survey) {
		ret = -ENOMEM;
		goto out_wq;