From f3f21b3d2a7430cbd39c7e8ec04165e9efcac8ba Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Mon, 11 Feb 2019 11:25:54 +0100 Subject: [PATCH] mac80211: brcmfmac: fix a possible NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This fixes a possible crash in the brcmf_fw_request_nvram_done(): [ 31.687293] Backtrace: [ 31.689760] [] (__wake_up_common) from [] (__wake_up_locked+0x1c/0x24) [ 31.698043] r10:c6794000 r9:00000009 r8:00000001 r7:bf54dda0 r6:a0000013 r5:c78e7d38 [ 31.705928] r4:c78e7d3c r3:00000000 [ 31.709528] [] (__wake_up_locked) from [] (complete+0x3c/0x4c) [ 31.717148] [] (complete) from [] (brcmf_fw_request_nvram_done+0x5c8/0x6a4 [brcmfmac]) [ 31.726818] r7:bf54dda0 r6:c6794000 r5:00001990 r4:c6782380 [ 31.732544] [] (brcmf_fw_request_nvram_done [brcmfmac]) from [] (request_firmware_work_func+0x38/0x60) [ 31.743607] r10:00000008 r9:c6bdd700 r8:00000000 r7:c72c3cd8 r6:c67f4300 r5:c6bda300 [ 31.751493] r4:c67f4300 [ 31.754046] [] (request_firmware_work_func) from [] (process_one_work+0x1e0/0x318) [ 31.763365] r4:c72c3cc0 [ 31.765913] [] (process_one_work) from [] (worker_thread+0x2f4/0x448) [ 31.774107] r10:00000008 r9:00000000 r8:c6bda314 r7:c72c3cd8 r6:c6bda300 r5:c6bda300 [ 31.781993] r4:c72c3cc0 [ 31.784545] [] (worker_thread) from [] (kthread+0x100/0x114) [ 31.791949] r10:00000000 r9:00000000 r8:00000000 r7:c0034f40 r6:c72c3cc0 r5:00000000 [ 31.799836] r4:c735dc00 r3:c79ed540 [ 31.803438] [] (kthread) from [] (ret_from_fork+0x14/0x24) [ 31.810672] r7:00000000 r6:00000000 r5:c003974c r4:c735dc00 [ 31.816378] Code: e5b53004 e1a07001 e1a06002 e243000c (e5934000) [ 31.822487] ---[ end trace a0ffbb07a810d503 ]--- Signed-off-by: Rafał Miłecki (cherry picked from commit 83bcacb5215c21e1894fbe3d651d83948479ce91) --- ...mfmac-register-wiphy-s-during-module_init.patch | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch index bb059d1624..c52b4ca6bf 100644 --- a/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch +++ b/package/kernel/mac80211/patches/860-brcmfmac-register-wiphy-s-during-module_init.patch @@ -67,16 +67,17 @@ Signed-off-by: Rafał Miłecki kfree(fwctx); } -@@ -528,6 +537,8 @@ int brcmf_fw_get_firmwares_pcie(struct d +@@ -528,6 +537,9 @@ int brcmf_fw_get_firmwares_pcie(struct d u16 domain_nr, u16 bus_nr) { struct brcmf_fw *fwctx; + struct completion completion; ++ unsigned long time_left; + int err; brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev)); if (!fw_cb || !code) -@@ -548,9 +559,17 @@ int brcmf_fw_get_firmwares_pcie(struct d +@@ -548,9 +560,20 @@ int brcmf_fw_get_firmwares_pcie(struct d fwctx->domain_nr = domain_nr; fwctx->bus_nr = bus_nr; @@ -87,9 +88,12 @@ Signed-off-by: Rafał Miłecki + err = request_firmware_nowait(THIS_MODULE, true, code, dev, GFP_KERNEL, fwctx, brcmf_fw_request_code_done); -+ if (!err) -+ wait_for_completion_timeout(&completion, -+ msecs_to_jiffies(5000)); ++ if (!err) { ++ time_left = wait_for_completion_timeout(&completion, ++ msecs_to_jiffies(5000)); ++ if (!time_left && fwctx) ++ fwctx->completion = NULL; ++ } + + return err; } -- 2.25.1