From nobody Thu Jun 25 00:33:29 2026
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E52FF3BED2D
	for <linux-kernel@vger.kernel.org>; Mon,  8 Jun 2026 19:08:09 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.41
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1780945691; cv=none;
 b=r9EFMArOR/bTSx3Jt2tJfvXIe4uq0uqbdDx6+X093iEdC7xm7NN6e5ZWDnSS2NCd2eE/5gYSS9e/x3yA3fZkHbECgI0cBiZfKV95IWQupHnGbWgYgllRgCSr4bRqvTrI1u2+3kHEsf4FYDBUZOQGojbrTQdZzhAE6xKWjDMkgx4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1780945691; c=relaxed/simple;
	bh=mrlN8oTK1xCKFazv7gxjN+JMJKdR9jAYfIEr3zLtFSc=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=hHO22ck4qNhyezCgVGibnwMhlP8OoXBNsZQXnjilgVmj5kL2uu1e7TAcLDyxAYUjX4iprunaBZZtjJeFCdx/7CaBqRMp1gb2ph14FYxgR9AmmYUIN39kTM3LbtCC9i2WDq9guLHwwq1c+okKmCNLlpcc7ezK+r9pPXNzex86rPQ=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=FehfIMEK; arc=none smtp.client-ip=209.85.128.41
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="FehfIMEK"
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-490d1e54b3bso9585695e9.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 08 Jun 2026 12:08:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1780945688; x=1781550488;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=zIpRmwEDvt5u/zq21xSApuv1AvoqyPfLmSADHW3zJO0=;
        b=FehfIMEK3s2UeL65bya4uOlbnM8KvvZScjUhxzOGi3qKe+w3T9SP3O9VEPcYasKbOx
         Yd1af2QTpDgtdqrwLmRd73dc1XXCjVIWpxvqhS9ZjRFF+kfKSYu23uKgU5v9qRUn+Y04
         wmFWCN0lQyILXc4ijvaZmHs1DFtvNnZqrHsuWe+uyLoCUfS9SXJIY6n+zQ9bdO+z5iY5
         J2x6Y+qDMxBXx8s2Abh6ISZafQyXNz+8rn061L6UWgUwp/ryftnQJV2jQHFFuKscQNRF
         glWPILdnqvOXmMEVuX8Vbz+MT2iVAMi8L3JGCAoPZpHM7wDT78zEG3GapZV4tiuvtyw/
         4smQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1780945688; x=1781550488;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=zIpRmwEDvt5u/zq21xSApuv1AvoqyPfLmSADHW3zJO0=;
        b=s3MgTwI1pqnx+CLaBEkiGUWipmrr98Pag+GE4KPasmk4u93GQOLJZkFDNRthOkqfIV
         khYYPeNHCutE5pLqrjdsCz7NKboBo33dzKo8lV2lmqkkYF8qw8VjjdkygMgyv4xPjp7O
         0LpDZ4/eDLJ92XkFb/TFeswpgAlIpyIXgAL6aSKtkG4OrkbV49TH3+w7U0D319TlPhvb
         o/DTRL1dfdH4lXjJdxrTGIqExfuFaY12dWDYlw7VyO0k1TwcQb5kpUaD66HI8NvKFGMA
         wMfCM3nojUn0cRWtn4qgXNtCCC1Nd3oVLz415maQJALQbZYdFBQYSkf7aOEp2vmuGArf
         Strw==
X-Forwarded-Encrypted: i=1;
 AFNElJ+EbOSQ/pYGUF3dD7Q3czPwgWKDnjcINO6U6TSjirVF07CwGAr2U7qXxrExDEmWRymSqne04f6tc5quFTQ=@vger.kernel.org
X-Gm-Message-State: AOJu0YzkFdtK4l+7j2+Yj9DPhyh9MUIBXRifRYm6jQeA/5k4CnISGdwz
	bLUyrXWiS1jLvbekWn4VBJGHPicb84jTzCtxl6oHQobuE4bIEtBEXzn0
X-Gm-Gg: Acq92OFrDi44453fE3U636Uyg9Wfp4dh59TRYaouvnnoA7KITwWfq3bEtN/YJNWVfmp
	Sr6ytxZPqLtKbUUEXltNeEue3hEzgHF2vsD/05xaLPn9YYKxY3qVEAH6dMyujNH+q8gzC84B4jI
	drf/TLn97RuCiVb1xetLMU2ecxmSs0FD97U1Y84ZLs0pF6mudZEB/dXFMkDaQEQBqWB7P6MrrHm
	HqwiThIgizJfGBpo3Fx2kPctVMEz2DoZ/vkEUN/o6+4xbTGhuFLrvCKlREuaK6vhCZmoweSaeUS
	kTNyDXg+qw8Z5tb0mYrXF11PeikNHuFuxY8GgNXO/DaZrXY4haFIFY4HfFAh/A7fhFsoYCAZTio
	kCqTuINtF0QjIfuDGvz6syn/N8UAMrETvSXGDJz8oP6mVlBQD7JjD6r7HJg3RpcYG1l40JBlcTj
	CkkYkFRVF2zxl071psxz0NdHCDnHN5woKD
X-Received: by 2002:a05:600c:4e43:b0:490:3d62:f5df with SMTP id
 5b1f17b1804b1-490c25d24f4mr273799625e9.30.1780945688319;
        Mon, 08 Jun 2026 12:08:08 -0700 (PDT)
Received: from omarchy ([212.58.120.181])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-4601f2dc412sm56878622f8f.4.2026.06.08.12.08.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 08 Jun 2026 12:08:07 -0700 (PDT)
From: Nikoloz Bakuradze <nbakuradze28@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Khushal Chitturi <khushalchitturi@gmail.com>,
	Archit Anant <architanant5@gmail.com>,
	Minu Jin <s9430939@naver.com>,
	Andy Shevchenko <andriy.shevchenko@intel.com>,
	Kees Cook <kees@kernel.org>,
	Hans de Goede <hansg@kernel.org>,
	linux-staging@lists.linux.dev,
	linux-kernel@vger.kernel.org
Cc: Nikoloz Bakuradze <nbakuradze28@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] staging: rtl8723bs: core: avoid NULL pointer dereference in
 c2h_wk_callback
Date: Mon,  8 Jun 2026 23:06:58 +0400
Message-ID: <20260608190700.85755-1-nbakuradze28@gmail.com>
X-Mailer: git-send-email 2.54.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

c2h_wk_callback() allocates a 16-byte buffer with kmalloc(GFP_ATOMIC)
when the c2h event needs to be read by the host. The existing guard
only wraps the read step, so on allocation failure the loop body falls
through with a NULL c2h_evt and dereferences it in rtw_hal_c2h_valid()
(via c2h_evt_valid() which reads buf->id).

Restructure the check into an early continue so the rest of the loop
iteration cannot be reached with a NULL pointer.

Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable@vger.kernel.org
Signed-off-by: Nikoloz Bakuradze <nbakuradze28@gmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_cmd.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl=
8723bs/core/rtw_cmd.c
index c1185c25ed369..874970116f920 100644
--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
@@ -1702,12 +1702,12 @@ static void c2h_wk_callback(struct work_struct *wor=
k)
 			c2h_evt_clear(adapter);
 		} else {
 			c2h_evt =3D kmalloc(16, GFP_ATOMIC);
-			if (c2h_evt) {
-				/* This C2H event is not read, read & clear now */
-				if (c2h_evt_read_88xx(adapter, c2h_evt) !=3D _SUCCESS) {
-					kfree(c2h_evt);
-					continue;
-				}
+			if (!c2h_evt)
+				continue;
+			/* This C2H event is not read, read & clear now */
+			if (c2h_evt_read_88xx(adapter, c2h_evt) !=3D _SUCCESS) {
+				kfree(c2h_evt);
+				continue;
 			}
 		}
=20
--=20
2.54.0