drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++-- drivers/net/wireless/marvell/mwifiex/main.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-)
Use kcalloc to allocate 'adapter->chan_stats' memory (max 900 bytes)
instead of vmalloc for efficiency and zero-initialize it for security
per Dan Carpenter's suggestion.
Cc: stable@vger.kernel.org
Fixes: bf35443314ac ("mwifiex: channel statistics support for mwifiex")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Qianfeng Rong <rongqianfeng@vivo.com>
---
v2: Change vmalloc_array/vfree to kcalloc/kfree.
---
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 5 +++--
drivers/net/wireless/marvell/mwifiex/main.c | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
index 3498743d5ec0..4c8c7a5fdf23 100644
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -4673,8 +4673,9 @@ int mwifiex_init_channel_scan_gap(struct mwifiex_adapter *adapter)
* additional active scan request for hidden SSIDs on passive channels.
*/
adapter->num_in_chan_stats = 2 * (n_channels_bg + n_channels_a);
- adapter->chan_stats = vmalloc(array_size(sizeof(*adapter->chan_stats),
- adapter->num_in_chan_stats));
+ adapter->chan_stats = kcalloc(adapter->num_in_chan_stats,
+ sizeof(*adapter->chan_stats),
+ GFP_KERNEL);
if (!adapter->chan_stats)
return -ENOMEM;
diff --git a/drivers/net/wireless/marvell/mwifiex/main.c b/drivers/net/wireless/marvell/mwifiex/main.c
index 7b50a88a18e5..1ec069bc8ea1 100644
--- a/drivers/net/wireless/marvell/mwifiex/main.c
+++ b/drivers/net/wireless/marvell/mwifiex/main.c
@@ -642,7 +642,7 @@ static int _mwifiex_fw_dpc(const struct firmware *firmware, void *context)
goto done;
err_add_intf:
- vfree(adapter->chan_stats);
+ kfree(adapter->chan_stats);
err_init_chan_scan:
wiphy_unregister(adapter->wiphy);
wiphy_free(adapter->wiphy);
@@ -1485,7 +1485,7 @@ static void mwifiex_uninit_sw(struct mwifiex_adapter *adapter)
wiphy_free(adapter->wiphy);
adapter->wiphy = NULL;
- vfree(adapter->chan_stats);
+ kfree(adapter->chan_stats);
mwifiex_free_cmd_buffers(adapter);
}
--
2.34.1On Thu, Aug 14, 2025 at 09:15:31PM +0800, Qianfeng Rong wrote: > Use kcalloc to allocate 'adapter->chan_stats' memory (max 900 bytes) > instead of vmalloc for efficiency and zero-initialize it for security > per Dan Carpenter's suggestion. > This patch is okay, but lets re-write the commit message: Subject: wifi: mwifiex: Initialize the chan_stats array to zero The adapter->chan_stats[] array is initialized in mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out memory. The array is filled in mwifiex_update_chan_statistics() and then the user can query the data in mwifiex_cfg80211_dump_survey(). There are two potential issues here. What if the user calls mwifiex_cfg80211_dump_survey() before the data has been filled in. Also the mwifiex_update_chan_statistics() function doesn't necessarily initialize the whole array. Since the array was not initialized at the start that could result in an information leak. Also this array is pretty small. It's a maximum of 900 bytes so it's more appropriate to use kcalloc() instead vmalloc(). regards, dan carpenter
> This patch is okay, but lets re-write the commit message: … Can such feedback trigger further collateral evolution? Will any related software design options become more interesting? Regards, Markus
在 2025/8/14 22:50, Dan Carpenter 写道: > On Thu, Aug 14, 2025 at 09:15:31PM +0800, Qianfeng Rong wrote: >> Use kcalloc to allocate 'adapter->chan_stats' memory (max 900 bytes) >> instead of vmalloc for efficiency and zero-initialize it for security >> per Dan Carpenter's suggestion. >> > This patch is okay, but lets re-write the commit message: > > Subject: wifi: mwifiex: Initialize the chan_stats array to zero > > The adapter->chan_stats[] array is initialized in > mwifiex_init_channel_scan_gap() with vmalloc(), which doesn't zero out > memory. The array is filled in mwifiex_update_chan_statistics() > and then the user can query the data in mwifiex_cfg80211_dump_survey(). > > There are two potential issues here. What if the user calls > mwifiex_cfg80211_dump_survey() before the data has been filled in. > Also the mwifiex_update_chan_statistics() function doesn't necessarily > initialize the whole array. Since the array was not initialized at > the start that could result in an information leak. > > Also this array is pretty small. It's a maximum of 900 bytes so it's > more appropriate to use kcalloc() instead vmalloc(). Ok,Thank you for your correction, I will release the next version soon. > > regards, > dan carpenter Best regards, Qianfeng >
> Use kcalloc to allocate 'adapter->chan_stats' memory … I find the summary phrase and change description improvable. Regards, Markus
On Thu, 2025-08-14 at 16:33 +0200, Markus Elfring wrote: > > Use kcalloc to allocate 'adapter->chan_stats' memory … > > I find the summary phrase and change description improvable. We all find your behaviour improvable. Go away and leave the wireless list alone. johannes
© 2016 - 2025 Red Hat, Inc.