Commit 4f565ee2 authored Nov 25, 2019 by Luca Coelho

iwlwifi: fix TLV fragment allocation loop

In the allocation loop, "pages" will never become zero (because of the
DIV_ROUND_UP), so if we can't allocate any size and pages becomes 1,
we will keep trying to allocate 1 page until it succeeds. And in that
case, as coverity reported, block will never be NULL.

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487402 ("Control flow issues")
Fixes: 14124b25 ("iwlwifi: dbg_ini: implement monitor allocation flow")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Fixes: 14124b25 ("iwlwifi: dbg_ini: implement monitor allocation flow")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

parent a89c72ff

drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c

+8 −1

Original line number	Diff line number	Diff line
		@@ -480,7 +480,14 @@ static int iwl_dbg_tlv_alloc_fragment(struct iwl_fw_runtime *fwrt,
		if (!frag \|\| frag->size \|\| !pages)
		return -EIO;

		while (pages) {
		/*
		* We try to allocate as many pages as we can, starting with
		* the requested amount and going down until we can allocate
		* something. Because of DIV_ROUND_UP(), pages will never go
		* down to 0 and stop the loop, so stop when pages reaches 1,
		* which is too small anyway.
		*/
		while (pages > 1) {
		block = dma_alloc_coherent(fwrt->dev, pages * PAGE_SIZE,
		&physical,
		GFP_KERNEL \| __GFP_NOWARN);

Admin message