diff options
author | Rafał Miłecki <rafal@milecki.pl> | 2019-02-11 11:25:54 +0100 |
---|---|---|
committer | Rafał Miłecki <rafal@milecki.pl> | 2019-02-11 11:46:03 +0100 |
commit | 19a6c4b2b3df775b3e57fa3a6f790cd08b17955e (patch) | |
tree | 5f1caf6a3d641f1b7041a6f3bcdc18e88f20715b | |
parent | d997712c71eb281b9aab3c73b39b8deae2b7d946 (diff) | |
download | upstream-19a6c4b2b3df775b3e57fa3a6f790cd08b17955e.tar.gz upstream-19a6c4b2b3df775b3e57fa3a6f790cd08b17955e.tar.bz2 upstream-19a6c4b2b3df775b3e57fa3a6f790cd08b17955e.zip |
mac80211: brcmfmac: fix a possible NULL pointer dereference
This fixes a possible crash in the brcmf_fw_request_nvram_done():
[ 31.687293] Backtrace:
[ 31.689760] [<c004fb4c>] (__wake_up_common) from [<c004fc38>] (__wake_up_locked+0x1c/0x24)
[ 31.698043] r10:c6794000 r9:00000009 r8:00000001 r7:bf54dda0 r6:a0000013 r5:c78e7d38
[ 31.705928] r4:c78e7d3c r3:00000000
[ 31.709528] [<c004fc1c>] (__wake_up_locked) from [<c00502a8>] (complete+0x3c/0x4c)
[ 31.717148] [<c005026c>] (complete) from [<bf54590c>] (brcmf_fw_request_nvram_done+0x5c8/0x6a4 [brcmfmac])
[ 31.726818] r7:bf54dda0 r6:c6794000 r5:00001990 r4:c6782380
[ 31.732544] [<bf545344>] (brcmf_fw_request_nvram_done [brcmfmac]) from [<c0204e40>] (request_firmware_work_func+0x38/0x60)
[ 31.743607] r10:00000008 r9:c6bdd700 r8:00000000 r7:c72c3cd8 r6:c67f4300 r5:c6bda300
[ 31.751493] r4:c67f4300
[ 31.754046] [<c0204e08>] (request_firmware_work_func) from [<c0034458>] (process_one_work+0x1e0/0x318)
[ 31.763365] r4:c72c3cc0
[ 31.765913] [<c0034278>] (process_one_work) from [<c0035234>] (worker_thread+0x2f4/0x448)
[ 31.774107] r10:00000008 r9:00000000 r8:c6bda314 r7:c72c3cd8 r6:c6bda300 r5:c6bda300
[ 31.781993] r4:c72c3cc0
[ 31.784545] [<c0034f40>] (worker_thread) from [<c003984c>] (kthread+0x100/0x114)
[ 31.791949] r10:00000000 r9:00000000 r8:00000000 r7:c0034f40 r6:c72c3cc0 r5:00000000
[ 31.799836] r4:c735dc00 r3:c79ed540
[ 31.803438] [<c003974c>] (kthread) from [<c00097d0>] (ret_from_fork+0x14/0x24)
[ 31.810672] r7:00000000 r6:00000000 r5:c003974c r4:c735dc00
[ 31.816378] Code: e5b53004 e1a07001 e1a06002 e243000c (e5934000)
[ 31.822487] ---[ end trace a0ffbb07a810d503 ]---
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 83bcacb5215c21e1894fbe3d651d83948479ce91)
-rw-r--r-- | package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index 2e710d3d62..3a3ffa7304 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -40,15 +40,16 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com> kfree(fwctx); } -@@ -598,6 +601,7 @@ int brcmf_fw_get_firmwares(struct device +@@ -598,6 +601,8 @@ int brcmf_fw_get_firmwares(struct device { struct brcmf_fw_item *first = &req->items[0]; struct brcmf_fw *fwctx; + struct completion completion; ++ unsigned long time_left; int ret; brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev)); -@@ -615,12 +619,17 @@ int brcmf_fw_get_firmwares(struct device +@@ -615,12 +620,20 @@ int brcmf_fw_get_firmwares(struct device fwctx->req = req; fwctx->done = fw_cb; @@ -61,7 +62,10 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com> if (ret < 0) brcmf_fw_request_done(NULL, fwctx); -+ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000)); ++ time_left = wait_for_completion_timeout(&completion, ++ msecs_to_jiffies(5000)); ++ if (!time_left && fwctx) ++ fwctx->completion = NULL; + return 0; } |