mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference

1) Using fwctx variable after brcmf_fw_request_done() was executed meant accessing freed memory. 2) Using fwctx->completion for the wait_for_completion_timeout() call could reuslt in NULL pointer dereference on fw loading error or if brcmf_fw_request_done() was executed quickly enough. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 529c95cc15dc9fcc7709400cc921f2a3c03cd263)
author: Rafał Miłecki 2019-01-07 16:11:23 +0000
committer: Rafał Miłecki 2019-01-08 10:46:24 +0000
commit: 9d4eed6837c014380d16ec6824b643d25731b927 (patch)
tree: daf9ca93903d0a60979b6486f7749937b9c51638
parent: 834bd864245293d26bc9ca1ee956799de5865b37 (diff)
download: openwrt-9d4eed6837c014380d16ec6824b643d25731b927.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
index 4f9d154b3f..bb059d1624 100644
--- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -88,9 +88,9 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
  				       GFP_KERNEL, fwctx,
  				       brcmf_fw_request_code_done);
 +	if (!err)
-+		wait_for_completion_timeout(fwctx->completion,
++		wait_for_completion_timeout(&completion,
 +					    msecs_to_jiffies(5000));
-+	fwctx->completion = NULL;
++
 +	return err;
  }
author	Rafał Miłecki	2019-01-07 16:11:23 +0000
committer	Rafał Miłecki	2019-01-08 10:46:24 +0000
commit	9d4eed6837c014380d16ec6824b643d25731b927 (patch)
tree	daf9ca93903d0a60979b6486f7749937b9c51638
parent	834bd864245293d26bc9ca1ee956799de5865b37 (diff)
download	openwrt-9d4eed6837c014380d16ec6824b643d25731b927.tar.gz