From: Rafał Miłecki Date: Mon, 7 Jan 2019 16:11:23 +0000 (+0100) Subject: mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference X-Git-Tag: v17.01.7~29 X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fopenwrt.git;a=commitdiff_plain;h=9d4eed6837c014380d16ec6824b643d25731b927 mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference 1) Using fwctx variable after brcmf_fw_request_done() was executed meant accessing freed memory. 2) Using fwctx->completion for the wait_for_completion_timeout() call could reuslt in NULL pointer dereference on fw loading error or if brcmf_fw_request_done() was executed quickly enough. Signed-off-by: Rafał Miłecki (cherry picked from commit 529c95cc15dc9fcc7709400cc921f2a3c03cd263) --- diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index 4f9d154b3f..bb059d1624 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -88,9 +88,9 @@ Signed-off-by: Rafał Miłecki GFP_KERNEL, fwctx, brcmf_fw_request_code_done); + if (!err) -+ wait_for_completion_timeout(fwctx->completion, ++ wait_for_completion_timeout(&completion, + msecs_to_jiffies(5000)); -+ fwctx->completion = NULL; ++ + return err; }