From patchwork Thu Nov 15 02:46:10 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Franky Lin X-Patchwork-Id: 1745161 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 3B921DF264 for ; Thu, 15 Nov 2012 02:46:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933301Ab2KOCqz (ORCPT ); Wed, 14 Nov 2012 21:46:55 -0500 Received: from mms3.broadcom.com ([216.31.210.19]:1153 "EHLO mms3.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933276Ab2KOCqg (ORCPT ); Wed, 14 Nov 2012 21:46:36 -0500 Received: from [10.9.200.133] by mms3.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.5)); Wed, 14 Nov 2012 18:42:25 -0800 X-Server-Uuid: B86B6450-0931-4310-942E-F00ED04CA7AF Received: from mail-irva-13.broadcom.com (10.11.16.103) by IRVEXCHHUB02.corp.ad.broadcom.com (10.9.200.133) with Microsoft SMTP Server id 8.2.247.2; Wed, 14 Nov 2012 18:46:02 -0800 Received: from mail-sj1-12.sj.broadcom.com (mail-sj1-12.sj.broadcom.com [10.17.16.106]) by mail-irva-13.broadcom.com (Postfix) with ESMTP id DF7F340FE4; Wed, 14 Nov 2012 18:46:28 -0800 (PST) Received: from lc-sj1-3560.broadcom.com (lc-sj1-3560.sj.broadcom.com [10.17.194.250]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id 21A1F207D0; Wed, 14 Nov 2012 18:46:24 -0800 (PST) Received: by lc-sj1-3560.broadcom.com (Postfix, from userid 25250) id 9A9EDF88E4C; Wed, 14 Nov 2012 18:46:23 -0800 (PST) From: "Franky Lin" To: linville@tuxdriver.com cc: linux-wireless@vger.kernel.org, "Arend van Spriel" Subject: [PATCH 06/19] brcmfmac: correct handling IF firmware event Date: Wed, 14 Nov 2012 18:46:10 -0800 Message-ID: <1352947583-25341-7-git-send-email-frankyl@broadcom.com> X-Mailer: git-send-email 1.7.6 In-Reply-To: <1352947583-25341-1-git-send-email-frankyl@broadcom.com> References: <1352947583-25341-1-git-send-email-frankyl@broadcom.com> MIME-Version: 1.0 X-WSS-ID: 7CBA891B3P83077757-01-01 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Arend van Spriel Testing revealed the IF ADD event contains the interface index of the new interface. This would result in a NULL pointer access when handling the event. Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Hante Meuleman Signed-off-by: Arend van Spriel Signed-off-by: Franky Lin --- drivers/net/wireless/brcm80211/brcmfmac/fweh.c | 66 +++++++++++------------- 1 file changed, 31 insertions(+), 35 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c index 825be26..e1521af 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c @@ -191,42 +191,13 @@ static const char *brcmf_fweh_event_name(enum brcmf_fweh_event_code code) /** * brcmf_fweh_queue_event() - create and queue event. * - * @ifp: firmware interface object. - * @code: event code. - * @pkt: event ether packet. + * @fweh: firmware event handling info. + * @event: event queue entry. */ -static void brcmf_fweh_queue_event(struct brcmf_if *ifp, - enum brcmf_fweh_event_code code, - struct brcmf_event *pkt) +static void brcmf_fweh_queue_event(struct brcmf_fweh_info *fweh, + struct brcmf_fweh_queue_item *event) { - struct brcmf_fweh_info *fweh = &ifp->drvr->fweh; - struct brcmf_fweh_queue_item *event; - gfp_t alloc_flag = GFP_KERNEL; ulong flags; - void *data; - u32 datalen; - - /* determine event data */ - datalen = get_unaligned_be32(&pkt->msg.datalen); - data = &pkt[1]; - - if (!ifp->ndev || (code != BRCMF_E_IF && !fweh->evt_handler[code])) { - brcmf_dbg(EVENT, "event ignored: code=%d\n", code); - brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), data, datalen, "event:"); - return; - } - - if (in_interrupt()) - alloc_flag = GFP_ATOMIC; - - event = kzalloc(sizeof(*event) + datalen, alloc_flag); - event->code = code; - event->ifidx = ifp->idx; - - /* use memcpy to get aligned event message */ - memcpy(&event->emsg, &pkt->msg, sizeof(event->emsg)); - memcpy(event->data, data, datalen); - memcpy(event->ifaddr, pkt->eth.h_dest, ETH_ALEN); spin_lock_irqsave(&fweh->evt_q_lock, flags); list_add_tail(&event->q, &fweh->event_q); @@ -489,10 +460,35 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr, struct brcmf_event *event_packet, u8 *ifidx) { enum brcmf_fweh_event_code code; + struct brcmf_fweh_info *fweh = &drvr->fweh; + struct brcmf_fweh_queue_item *event; + gfp_t alloc_flag = GFP_KERNEL; + void *data; + u32 datalen; - /* determine event code and interface index */ + /* get event info */ code = get_unaligned_be32(&event_packet->msg.event_type); + datalen = get_unaligned_be32(&event_packet->msg.datalen); *ifidx = event_packet->msg.ifidx; + data = &event_packet[1]; + + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) { + brcmf_dbg(EVENT, "event ignored: code=%d\n", code); + brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), data, datalen, "event:"); + return; + } + + if (in_interrupt()) + alloc_flag = GFP_ATOMIC; + + event = kzalloc(sizeof(*event) + datalen, alloc_flag); + event->code = code; + event->ifidx = *ifidx; + + /* use memcpy to get aligned event message */ + memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg)); + memcpy(event->data, data, datalen); + memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN); - brcmf_fweh_queue_event(drvr->iflist[*ifidx], code, event_packet); + brcmf_fweh_queue_event(fweh, event); }