aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel
diff options
context:
space:
mode:
authorRafał Miłecki <rafal@milecki.pl>2019-01-07 17:11:23 +0100
committerRafał Miłecki <rafal@milecki.pl>2019-01-07 17:13:59 +0100
commit529c95cc15dc9fcc7709400cc921f2a3c03cd263 (patch)
tree1d095a964796c83a4e406c04ac225763ad45e31e /package/kernel
parent630d8b87a570b87ec3a0a2f950e87f674d381800 (diff)
downloadupstream-529c95cc15dc9fcc7709400cc921f2a3c03cd263.tar.gz
upstream-529c95cc15dc9fcc7709400cc921f2a3c03cd263.tar.bz2
upstream-529c95cc15dc9fcc7709400cc921f2a3c03cd263.zip
mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference
1) Using fwctx variable after brcmf_fw_request_done() was executed meant accessing freed memory. 2) Using fwctx->completion for the wait_for_completion_timeout() call could reuslt in NULL pointer dereference on fw loading error or if brcmf_fw_request_done() was executed quickly enough. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Diffstat (limited to 'package/kernel')
-rw-r--r--package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch5
1 files changed, 2 insertions, 3 deletions
diff --git a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
index 574fcb40d7..6452d81db5 100644
--- a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
ret = request_firmware_nowait(THIS_MODULE, true, first->path,
fwctx->dev, GFP_KERNEL, fwctx,
-@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
+@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
if (ret < 0)
brcmf_fw_request_done(NULL, fwctx);
-+ wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
-+ fwctx->completion = NULL;
++ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
+
return 0;
}