projects / oweals / openwrt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 834bd86)
mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference
authorRafał Miłecki <rafal@milecki.pl>
Mon, 7 Jan 2019 16:11:23 +0000 (17:11 +0100)
committerRafał Miłecki <rafal@milecki.pl>
Tue, 8 Jan 2019 10:46:24 +0000 (11:46 +0100)
1) Using fwctx variable after brcmf_fw_request_done() was executed meant
   accessing freed memory.
2) Using fwctx->completion for the wait_for_completion_timeout() call
   could reuslt in NULL pointer dereference on fw loading error or if
   brcmf_fw_request_done() was executed quickly enough.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 529c95cc15dc9fcc7709400cc921f2a3c03cd263)

package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch patch | blob | history

diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
index 4f9d154b3f97539c959dbabb07e3ee54f2b31332..bb059d16244219f4bec2757522b8f6f9db62fbd7 100644 (file)
--- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -88,9 +88,9 @@ Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
                                       GFP_KERNEL, fwctx,
                                       brcmf_fw_request_code_done);
 +      if (!err)
-+              wait_for_completion_timeout(fwctx->completion,
++              wait_for_completion_timeout(&completion,
 +                                          msecs_to_jiffies(5000));
-+      fwctx->completion = NULL;
++
 +      return err;
  }
  
Unnamed repository; edit this file 'description' to name the repository.