1) Using fwctx variable after brcmf_fw_request_done() was executed meant
accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
could reuslt in NULL pointer dereference on fw loading error or if
brcmf_fw_request_done() was executed quickly enough.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
ret = request_firmware_nowait(THIS_MODULE, true, first->path,
fwctx->dev, GFP_KERNEL, fwctx,
ret = request_firmware_nowait(THIS_MODULE, true, first->path,
fwctx->dev, GFP_KERNEL, fwctx,
-@@ -696,6 +703,9 @@ int brcmf_fw_get_firmwares(struct device
+@@ -696,6 +703,8 @@ int brcmf_fw_get_firmwares(struct device
if (ret < 0)
brcmf_fw_request_done(NULL, fwctx);
if (ret < 0)
brcmf_fw_request_done(NULL, fwctx);
-+ wait_for_completion_timeout(fwctx->completion, msecs_to_jiffies(5000));
-+ fwctx->completion = NULL;
++ wait_for_completion_timeout(&completion, msecs_to_jiffies(5000));