From: Barnabás Czémán <barnabas.czeman@mainlining.org> stable inclusion from stable-v6.6.76 commit e95f9c408ff8311f75eeabc8acf34a66670d8815 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBPBLV CVE: CVE-2024-57997 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 6200d947f050efdba4090dfefd8a01981363d954 ] KASAN reported a memory allocation issue in wcn->chan_survey due to incorrect size calculation. This commit uses kcalloc to allocate memory for wcn->chan_survey, ensuring proper initialization and preventing the use of uninitialized values when there are no frames on the channel. Fixes: 29696e0aa413 ("wcn36xx: Track SNR and RSSI for each RX frame") Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org> Acked-by: Loic Poulain <loic.poulain@linaro.org> Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Link: https://patch.msgid.link/20241104-wcn36xx-memory-allocation-v1-1-5ec901cf37b... Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: ZhangPeng <zhangpeng362@huawei.com> Signed-off-by: Xiongfeng Wang <wangxiongfeng2@huawei.com> --- drivers/net/wireless/ath/wcn36xx/main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c index 2bd1163177f0..9bbbc86fd2d9 100644 --- a/drivers/net/wireless/ath/wcn36xx/main.c +++ b/drivers/net/wireless/ath/wcn36xx/main.c @@ -1586,7 +1586,10 @@ static int wcn36xx_probe(struct platform_device *pdev) } n_channels = wcn_band_2ghz.n_channels + wcn_band_5ghz.n_channels; - wcn->chan_survey = devm_kmalloc(wcn->dev, n_channels, GFP_KERNEL); + wcn->chan_survey = devm_kcalloc(wcn->dev, + n_channels, + sizeof(struct wcn36xx_chan_survey), + GFP_KERNEL); if (!wcn->chan_survey) { ret = -ENOMEM; goto out_wq; -- 2.20.1