mac80211: brcmfmac: fix a possible NULL pointer dereference
authorRafał Miłecki <rafal@milecki.pl>
Mon, 11 Feb 2019 10:25:54 +0000 (11:25 +0100)
committerRafał Miłecki <rafal@milecki.pl>
Mon, 11 Feb 2019 10:59:41 +0000 (11:59 +0100)
This fixes a possible crash in the brcmf_fw_request_nvram_done():
[   31.687293] Backtrace:
[   31.689760] [<c004fb4c>] (__wake_up_common) from [<c004fc38>] (__wake_up_locked+0x1c/0x24)
[   31.698043]  r10:c6794000 r9:00000009 r8:00000001 r7:bf54dda0 r6:a0000013 r5:c78e7d38
[   31.705928]  r4:c78e7d3c r3:00000000
[   31.709528] [<c004fc1c>] (__wake_up_locked) from [<c00502a8>] (complete+0x3c/0x4c)
[   31.717148] [<c005026c>] (complete) from [<bf54590c>] (brcmf_fw_request_nvram_done+0x5c8/0x6a4 [brcmfmac])
[   31.726818]  r7:bf54dda0 r6:c6794000 r5:00001990 r4:c6782380
[   31.732544] [<bf545344>] (brcmf_fw_request_nvram_done [brcmfmac]) from [<c0204e40>] (request_firmware_work_func+0x38/0x60)
[   31.743607]  r10:00000008 r9:c6bdd700 r8:00000000 r7:c72c3cd8 r6:c67f4300 r5:c6bda300
[   31.751493]  r4:c67f4300
[   31.754046] [<c0204e08>] (request_firmware_work_func) from [<c0034458>] (process_one_work+0x1e0/0x318)
[   31.763365]  r4:c72c3cc0
[   31.765913] [<c0034278>] (process_one_work) from [<c0035234>] (worker_thread+0x2f4/0x448)
[   31.774107]  r10:00000008 r9:00000000 r8:c6bda314 r7:c72c3cd8 r6:c6bda300 r5:c6bda300
[   31.781993]  r4:c72c3cc0
[   31.784545] [<c0034f40>] (worker_thread) from [<c003984c>] (kthread+0x100/0x114)
[   31.791949]  r10:00000000 r9:00000000 r8:00000000 r7:c0034f40 r6:c72c3cc0 r5:00000000
[   31.799836]  r4:c735dc00 r3:c79ed540
[   31.803438] [<c003974c>] (kthread) from [<c00097d0>] (ret_from_fork+0x14/0x24)
[   31.810672]  r7:00000000 r6:00000000 r5:c003974c r4:c735dc00
[   31.816378] Code: e5b53004 e1a07001 e1a06002 e243000c (e5934000)
[   31.822487] ---[ end trace a0ffbb07a810d503 ]---

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 83bcacb5215c21e1894fbe3d651d83948479ce91)

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch

index bb059d1..c52b4ca 100644 (file)
@@ -67,16 +67,17 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
        kfree(fwctx);
  }
  
-@@ -528,6 +537,8 @@ int brcmf_fw_get_firmwares_pcie(struct d
+@@ -528,6 +537,9 @@ int brcmf_fw_get_firmwares_pcie(struct d
                                u16 domain_nr, u16 bus_nr)
  {
        struct brcmf_fw *fwctx;
 +      struct completion completion;
++      unsigned long time_left;
 +      int err;
  
        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
        if (!fw_cb || !code)
-@@ -548,9 +559,17 @@ int brcmf_fw_get_firmwares_pcie(struct d
+@@ -548,9 +560,20 @@ int brcmf_fw_get_firmwares_pcie(struct d
        fwctx->domain_nr = domain_nr;
        fwctx->bus_nr = bus_nr;
  
@@ -87,9 +88,12 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 +      err = request_firmware_nowait(THIS_MODULE, true, code, dev,
                                       GFP_KERNEL, fwctx,
                                       brcmf_fw_request_code_done);
-+      if (!err)
-+              wait_for_completion_timeout(&completion,
-+                                          msecs_to_jiffies(5000));
++      if (!err) {
++              time_left = wait_for_completion_timeout(&completion,
++                                                      msecs_to_jiffies(5000));
++              if (!time_left && fwctx)
++                      fwctx->completion = NULL;
++      }
 +
 +      return err;
  }