mac80211: rt2x00: fix crash on release_firmware

Fix crash due to passing invalid r2x00dev->eeprom_file pointer to
release_firmware(). Since we copy eeprom data with EEPROM_SIZE
in rt2800_read_eeprom() we can use eeprom_file->size as marker
if the file was crated by request_firmware().

Acked-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
This commit is contained in:
Stanislaw Gruszka 2019-02-24 10:23:18 +01:00 committed by Daniel Golle
parent 0f89c17b57
commit 426ffc563a
2 changed files with 5 additions and 5 deletions

View File

@ -152,7 +152,7 @@
--- /dev/null --- /dev/null
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c
@@ -0,0 +1,105 @@ @@ -0,0 +1,106 @@
+/* +/*
+ Copyright (C) 2004 - 2009 Ivo van Doorn <IvDoorn@gmail.com> + Copyright (C) 2004 - 2009 Ivo van Doorn <IvDoorn@gmail.com>
+ Copyright (C) 2004 - 2009 Gertjan van Wingerde <gwingerde@gmail.com> + Copyright (C) 2004 - 2009 Gertjan van Wingerde <gwingerde@gmail.com>
@ -255,6 +255,7 @@
+ +
+void rt2x00lib_free_eeprom_file(struct rt2x00_dev *rt2x00dev) +void rt2x00lib_free_eeprom_file(struct rt2x00_dev *rt2x00dev)
+{ +{
+ if (rt2x00dev->eeprom_file && rt2x00dev->eeprom_file->size)
+ release_firmware(rt2x00dev->eeprom_file); + release_firmware(rt2x00dev->eeprom_file);
+ rt2x00dev->eeprom_file = NULL; + rt2x00dev->eeprom_file = NULL;
+} +}

View File

@ -22,7 +22,7 @@ Signed-off-by: John Crispin <blogic@openwrt.org>
Supported chips: RT2880, RT3050, RT3052, RT3350, RT3352. Supported chips: RT2880, RT3050, RT3052, RT3350, RT3352.
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c --- a/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c +++ b/drivers/net/wireless/ralink/rt2x00/rt2x00eeprom.c
@@ -26,11 +26,73 @@ @@ -26,11 +26,72 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/module.h> #include <linux/module.h>
@ -84,7 +84,6 @@ Signed-off-by: John Crispin <blogic@openwrt.org>
+ rt2x00dev->eeprom[i] = swab16(rt2x00dev->eeprom[i]); + rt2x00dev->eeprom[i] = swab16(rt2x00dev->eeprom[i]);
+ +
+ rt2x00dev->eeprom_file = &mtd_fw; + rt2x00dev->eeprom_file = &mtd_fw;
+ mtd_fw.size = len;
+ mtd_fw.data = (const u8 *) rt2x00dev->eeprom; + mtd_fw.data = (const u8 *) rt2x00dev->eeprom;
+ +
+ dev_info(rt2x00dev->dev, "loaded eeprom from mtd device \"%s\"\n", part); + dev_info(rt2x00dev->dev, "loaded eeprom from mtd device \"%s\"\n", part);
@ -96,7 +95,7 @@ Signed-off-by: John Crispin <blogic@openwrt.org>
static const char * static const char *
rt2x00lib_get_eeprom_file_name(struct rt2x00_dev *rt2x00dev) rt2x00lib_get_eeprom_file_name(struct rt2x00_dev *rt2x00dev)
{ {
@@ -58,6 +120,9 @@ static int rt2x00lib_request_eeprom_file @@ -58,6 +119,9 @@ static int rt2x00lib_request_eeprom_file
const char *ee_name; const char *ee_name;
int retval; int retval;