mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference

1) Using fwctx variable after brcmf_fw_request_done() was executed meant
   accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
   could reuslt in NULL pointer dereference on fw loading error or if
   brcmf_fw_request_done() was executed quickly enough.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This commit is contained in:
Rafał Miłecki 2019-01-07 17:11:23 +01:00
parent 630d8b87a5
commit 529c95cc15

View File

@ -58,12 +58,11 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
ret = request_firmware_nowait(THIS_MODULE, true, first->path,
fwctx->dev, GFP_KERNEL, fwctx,
@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
if (ret < 0)
brcmf_fw_request_done(NULL, fwctx);
+ wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
+ fwctx->completion = NULL;
+ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));
+
return 0;
}