mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 23:42:43 +00:00
mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference
1) Using fwctx variable after brcmf_fw_request_done() was executed meant accessing freed memory. 2) Using fwctx->completion for the wait_for_completion_timeout() call could reuslt in NULL pointer dereference on fw loading error or if brcmf_fw_request_done() was executed quickly enough. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This commit is contained in:
parent
630d8b87a5
commit
529c95cc15
@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
|
||||
|
||||
ret = request_firmware_nowait(THIS_MODULE, true, first->path,
|
||||
fwctx->dev, GFP_KERNEL, fwctx,
|
||||
@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
|
||||
@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
|
||||
if (ret < 0)
|
||||
brcmf_fw_request_done(NULL, fwctx);
|
||||
|
||||
+ wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
|
||||
+ fwctx->completion = NULL;
|
||||
+ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user