summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArend van Spriel <arend@broadcom.com>2012-11-15 06:46:10 +0400
committerJohn W. Linville <linville@tuxdriver.com>2012-11-16 23:28:50 +0400
commit607d5c0ef6c4d3a2e7a61ba1b62baa0712366bc0 (patch)
tree86e3e4f231959e19d1d4aaf2b1e9010a3b5a3ed8
parentbdf5ff516b453137cecb71e60ff860ec0a704509 (diff)
downloadlinux-607d5c0ef6c4d3a2e7a61ba1b62baa0712366bc0.tar.xz
brcmfmac: correct handling IF firmware event
Testing revealed the IF ADD event contains the interface index of the new interface. This would result in a NULL pointer access when handling the event. Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Franky Lin <frankyl@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--drivers/net/wireless/brcm80211/brcmfmac/fweh.c66
1 files changed, 31 insertions, 35 deletions
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
index 825be26b0c65..e1521afe6522 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
@@ -191,42 +191,13 @@ static const char *brcmf_fweh_event_name(enum brcmf_fweh_event_code code)
/**
* brcmf_fweh_queue_event() - create and queue event.
*
- * @ifp: firmware interface object.
- * @code: event code.
- * @pkt: event ether packet.
+ * @fweh: firmware event handling info.
+ * @event: event queue entry.
*/
-static void brcmf_fweh_queue_event(struct brcmf_if *ifp,
- enum brcmf_fweh_event_code code,
- struct brcmf_event *pkt)
+static void brcmf_fweh_queue_event(struct brcmf_fweh_info *fweh,
+ struct brcmf_fweh_queue_item *event)
{
- struct brcmf_fweh_info *fweh = &ifp->drvr->fweh;
- struct brcmf_fweh_queue_item *event;
- gfp_t alloc_flag = GFP_KERNEL;
ulong flags;
- void *data;
- u32 datalen;
-
- /* determine event data */
- datalen = get_unaligned_be32(&pkt->msg.datalen);
- data = &pkt[1];
-
- if (!ifp->ndev || (code != BRCMF_E_IF && !fweh->evt_handler[code])) {
- brcmf_dbg(EVENT, "event ignored: code=%d\n", code);
- brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), data, datalen, "event:");
- return;
- }
-
- if (in_interrupt())
- alloc_flag = GFP_ATOMIC;
-
- event = kzalloc(sizeof(*event) + datalen, alloc_flag);
- event->code = code;
- event->ifidx = ifp->idx;
-
- /* use memcpy to get aligned event message */
- memcpy(&event->emsg, &pkt->msg, sizeof(event->emsg));
- memcpy(event->data, data, datalen);
- memcpy(event->ifaddr, pkt->eth.h_dest, ETH_ALEN);
spin_lock_irqsave(&fweh->evt_q_lock, flags);
list_add_tail(&event->q, &fweh->event_q);
@@ -489,10 +460,35 @@ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
struct brcmf_event *event_packet, u8 *ifidx)
{
enum brcmf_fweh_event_code code;
+ struct brcmf_fweh_info *fweh = &drvr->fweh;
+ struct brcmf_fweh_queue_item *event;
+ gfp_t alloc_flag = GFP_KERNEL;
+ void *data;
+ u32 datalen;
- /* determine event code and interface index */
+ /* get event info */
code = get_unaligned_be32(&event_packet->msg.event_type);
+ datalen = get_unaligned_be32(&event_packet->msg.datalen);
*ifidx = event_packet->msg.ifidx;
+ data = &event_packet[1];
+
+ if (code != BRCMF_E_IF && !fweh->evt_handler[code]) {
+ brcmf_dbg(EVENT, "event ignored: code=%d\n", code);
+ brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), data, datalen, "event:");
+ return;
+ }
+
+ if (in_interrupt())
+ alloc_flag = GFP_ATOMIC;
+
+ event = kzalloc(sizeof(*event) + datalen, alloc_flag);
+ event->code = code;
+ event->ifidx = *ifidx;
+
+ /* use memcpy to get aligned event message */
+ memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
+ memcpy(event->data, data, datalen);
+ memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
- brcmf_fweh_queue_event(drvr->iflist[*ifidx], code, event_packet);
+ brcmf_fweh_queue_event(fweh, event);
}