From: Rafał Miłecki Date: Mon, 7 Jan 2019 16:11:23 +0000 (+0100) Subject: mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference X-Git-Tag: v19.07.0-rc1~1643 X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=529c95cc15dc;p=openwrt%2Fstaging%2Fpepe2k.git mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference 1) Using fwctx variable after brcmf_fw_request_done() was executed meant accessing freed memory. 2) Using fwctx->completion for the wait_for_completion_timeout() call could reuslt in NULL pointer dereference on fw loading error or if brcmf_fw_request_done() was executed quickly enough. Signed-off-by: Rafał Miłecki --- diff --git a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch index 574fcb40d7..6452d81db5 100644 --- a/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki ret = request_firmware_nowait(THIS_MODULE, true, first->path, fwctx->dev, GFP_KERNEL, fwctx, -@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device +@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device if (ret < 0) brcmf_fw_request_done(NULL, fwctx); -+ wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000)); -+ fwctx->completion = NULL; ++ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000)); + return 0; }