From patchwork Tue Apr 3 08:18:15 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arend van Spriel X-Patchwork-Id: 10320795 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C4D9160390 for ; Tue, 3 Apr 2018 08:18:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B4741201BC for ; Tue, 3 Apr 2018 08:18:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A8B00287AE; Tue, 3 Apr 2018 08:18:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1173A201BC for ; Tue, 3 Apr 2018 08:18:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755013AbeDCISZ (ORCPT ); Tue, 3 Apr 2018 04:18:25 -0400 Received: from rnd-relay.smtp.broadcom.com ([192.19.229.170]:55050 "EHLO rnd-relay.smtp.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754869AbeDCISY (ORCPT ); Tue, 3 Apr 2018 04:18:24 -0400 Received: from mail-irv-17.broadcom.com (mail-irv-17.lvn.broadcom.net [10.75.224.233]) by rnd-relay.smtp.broadcom.com (Postfix) with ESMTP id 7C9B130C053; Tue, 3 Apr 2018 01:18:23 -0700 (PDT) Received: from bld-bun-01.bun.broadcom.com (bld-bun-01.bun.broadcom.com [10.176.128.83]) by mail-irv-17.broadcom.com (Postfix) with ESMTP id 3C64D81EBF; Tue, 3 Apr 2018 01:18:23 -0700 (PDT) Received: by bld-bun-01.bun.broadcom.com (Postfix, from userid 25152) id 2179EB02AB7; Tue, 3 Apr 2018 10:18:18 +0200 (CEST) From: Arend van Spriel To: Kalle Valo Cc: linux-wireless@vger.kernel.org, Arend van Spriel Subject: [PATCH] brcmfmac: fix firmware request processing if nvram load fails Date: Tue, 3 Apr 2018 10:18:15 +0200 Message-Id: <1522743495-13004-1-git-send-email-arend.vanspriel@broadcom.com> X-Mailer: git-send-email 1.9.1 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When nvram loading fails a double free occurred. Fix this and reorg the code a little. Fixes: commit d09ae51a4b67 ("brcmfmac: pass struct in brcmf_fw_get_firmwares()") Reported-by: Dan Carpenter Signed-off-by: Arend van Spriel --- Hi Kalle, This fix is for code currently(?) in linux-next in error path caused a double free. Regards, Arend --- .../broadcom/brcm80211/brcmfmac/firmware.c | 36 ++++++++++++---------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c index 9277f4c..94e177d 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c @@ -459,7 +459,7 @@ static void brcmf_fw_free_request(struct brcmf_fw_request *req) kfree(req); } -static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx) +static int brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx) { struct brcmf_fw *fwctx = ctx; struct brcmf_fw_item *cur; @@ -498,13 +498,10 @@ static void brcmf_fw_request_nvram_done(const struct firmware *fw, void *ctx) brcmf_dbg(TRACE, "nvram %p len %d\n", nvram, nvram_length); cur->nv_data.data = nvram; cur->nv_data.len = nvram_length; - return; + return 0; fail: - brcmf_dbg(TRACE, "failed: dev=%s\n", dev_name(fwctx->dev)); - fwctx->done(fwctx->dev, -ENOENT, NULL); - brcmf_fw_free_request(fwctx->req); - kfree(fwctx); + return -ENOENT; } static int brcmf_fw_request_next_item(struct brcmf_fw *fwctx, bool async) @@ -553,20 +550,27 @@ static void brcmf_fw_request_done(const struct firmware *fw, void *ctx) brcmf_dbg(TRACE, "enter: firmware %s %sfound\n", cur->path, fw ? "" : "not "); - if (fw) { - if (cur->type == BRCMF_FW_TYPE_BINARY) - cur->binary = fw; - else if (cur->type == BRCMF_FW_TYPE_NVRAM) - brcmf_fw_request_nvram_done(fw, fwctx); - else - release_firmware(fw); - } else if (cur->type == BRCMF_FW_TYPE_NVRAM) { - brcmf_fw_request_nvram_done(NULL, fwctx); - } else if (!(cur->flags & BRCMF_FW_REQF_OPTIONAL)) { + if (!fw) ret = -ENOENT; + + switch (cur->type) { + case BRCMF_FW_TYPE_NVRAM: + ret = brcmf_fw_request_nvram_done(fw, fwctx); + break; + case BRCMF_FW_TYPE_BINARY: + cur->binary = fw; + break; + default: + /* something fishy here so bail out early */ + brcmf_err("unknown fw type: %d\n", cur->type); + release_firmware(fw); + ret = -EINVAL; goto fail; } + if (ret < 0 && !(cur->flags & BRCMF_FW_REQF_OPTIONAL)) + goto fail; + do { if (++fwctx->curpos == fwctx->req->n_items) { ret = 0;