diff options
author | Rafał Miłecki <rafal@milecki.pl> | 2019-01-07 17:11:23 +0100 |
---|---|---|
committer | Rafał Miłecki <rafal@milecki.pl> | 2019-01-08 11:46:24 +0100 |
commit | 9d4eed6837c014380d16ec6824b643d25731b927 (patch) | |
tree | daf9ca93903d0a60979b6486f7749937b9c51638 | |
parent | 834bd864245293d26bc9ca1ee956799de5865b37 (diff) | |
download | upstream-9d4eed6837c014380d16ec6824b643d25731b927.tar.gz upstream-9d4eed6837c014380d16ec6824b643d25731b927.tar.bz2 upstream-9d4eed6837c014380d16ec6824b643d25731b927.zip |
mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference
1) Using fwctx variable after brcmf_fw_request_done() was executed meant
accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
could reuslt in NULL pointer dereference on fw loading error or if
brcmf_fw_request_done() was executed quickly enough.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 529c95cc15dc9fcc7709400cc921f2a3c03cd263)
-rw-r--r-- | package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index 4f9d154b3f..bb059d1624 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -88,9 +88,9 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com> GFP_KERNEL, fwctx, brcmf_fw_request_code_done); + if (!err) -+ wait_for_completion_timeout(fwctx->completion, ++ wait_for_completion_timeout(&completion, + msecs_to_jiffies(5000)); -+ fwctx->completion = NULL; ++ + return err; } |