iwlwifi: fix TLV fragment allocation loop

In the allocation loop, "pages" will never become zero (because of the
DIV_ROUND_UP), so if we can't allocate any size and pages becomes 1,
we will keep trying to allocate 1 page until it succeeds.  And in that
case, as coverity reported, block will never be NULL.

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487402 ("Control flow issues")
Fixes: 14124b25780d ("iwlwifi: dbg_ini: implement monitor allocation flow")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Fixes: 14124b25780d ("iwlwifi: dbg_ini: implement monitor allocation flow")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>

diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
index f266647dc08c83ecbf543edb62ee74854ef9d98d..ce8f248c33ea97a1333811dc7d49145786cf9425 100644 (file)
--- a/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-dbg-tlv.c
@@ -480,7 +480,14 @@ static int iwl_dbg_tlv_alloc_fragment(struct iwl_fw_runtime *fwrt,
        if (!frag || frag->size || !pages)
                return -EIO;
 
-       while (pages) {
+       /*
+        * We try to allocate as many pages as we can, starting with
+        * the requested amount and going down until we can allocate
+        * something.  Because of DIV_ROUND_UP(), pages will never go
+        * down to 0 and stop the loop, so stop when pages reaches 1,
+        * which is too small anyway.
+        */
+       while (pages > 1) {
                block = dma_alloc_coherent(fwrt->dev, pages * PAGE_SIZE,
                                           &physical,
                                           GFP_KERNEL | __GFP_NOWARN);