projects / openwrt / staging / luka.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 630d8b8)
mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference
authorRafał Miłecki <rafal@milecki.pl>
Mon, 7 Jan 2019 16:11:23 +0000 (17:11 +0100)
committerRafał Miłecki <rafal@milecki.pl>
Mon, 7 Jan 2019 16:13:59 +0000 (17:13 +0100)
1) Using fwctx variable after brcmf_fw_request_done() was executed meant
   accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
   could reuslt in NULL pointer dereference on fw loading error or if
   brcmf_fw_request_done() was executed quickly enough.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch patch | blob | history

diff --git a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
index 574fcb40d773279c88f3ca0d68dc6220d17f016b..6452d81db5f22190d29fcefb4ddaf3064cb6b38d 100644 (file)
--- a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
  
        ret = request_firmware_nowait(THIS_MODULE, true, first->path,
                                      fwctx->dev, GFP_KERNEL, fwctx,
-@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
+@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
        if (ret < 0)
                brcmf_fw_request_done(NULL, fwctx);
  
-+      wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
-+      fwctx->completion = NULL;
++      wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
 +
        return 0;
  }
tree of Luka Perkov resides here