iwmc3200wifi: fix a use-after-free bug (971ad011) · Commits · e / devices / android_kernel_oneplus_sm7250

drivers/net/wireless/iwmc3200wifi/hal.c

+9 −7

Original line number	Diff line number	Diff line
		@@ -105,7 +105,7 @@
		#include "umac.h"
		#include "debug.h"

		static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
		static int iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
		struct iwm_nonwifi_cmd *cmd,
		struct iwm_udma_nonwifi_cmd *udma_cmd)
		{
		@@ -118,7 +118,7 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
		cmd->seq_num = iwm->nonwifi_seq_num;
		udma_cmd->seq_num = cpu_to_le16(cmd->seq_num);

		cmd->seq_num = iwm->nonwifi_seq_num++;
		iwm->nonwifi_seq_num++;
		iwm->nonwifi_seq_num %= UMAC_NONWIFI_SEQ_NUM_MAX;

		if (udma_cmd->resp)
		@@ -130,6 +130,8 @@ static void iwm_nonwifi_cmd_init(struct iwm_priv *iwm,
		cmd->buf.len = 0;

		memcpy(&cmd->udma_cmd, udma_cmd, sizeof(*udma_cmd));

		return cmd->seq_num;
		}

		u16 iwm_alloc_wifi_cmd_seq(struct iwm_priv *iwm)
		@@ -369,7 +371,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
		const void *payload)
		{
		struct iwm_nonwifi_cmd *cmd;
		int ret;
		int ret, seq_num;

		cmd = kzalloc(sizeof(struct iwm_nonwifi_cmd), GFP_KERNEL);
		if (!cmd) {
		@@ -377,7 +379,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
		return -ENOMEM;
		}

		iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);
		seq_num = iwm_nonwifi_cmd_init(iwm, cmd, udma_cmd);

		if (cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE \|\|
		cmd->udma_cmd.opcode == UMAC_HDI_OUT_OPCODE_WRITE_PERSISTENT) {
		@@ -393,7 +395,7 @@ int iwm_hal_send_target_cmd(struct iwm_priv *iwm,
		if (ret < 0)
		return ret;

		return cmd->seq_num;
		return seq_num;
		}

		static void iwm_build_lmac_hdr(struct iwm_priv iwm, struct iwm_lmac_hdr hdr,