The function brcmf_usb_dlneeded() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'id.chiprev' is uninitialized if the function brcmf_usb_dl_cmd() fails, and may propagate to 'devinfo->bus_pub.chiprev'.
Add error handling for brcmf_usb_dl_cmd() to return the function if the 'id.chiprev' is uninitialized.
Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") Cc: stable@vger.kernel.org # v3.4+ Signed-off-by: Wentao Liang vulab@iscas.ac.cn --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c index 2821c27f317e..50dddac8a2ab 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c @@ -790,6 +790,7 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo) { struct bootrom_id_le id; u32 chipid, chiprev; + int err;
brcmf_dbg(USB, "Enter\n");
@@ -798,7 +799,11 @@ brcmf_usb_dlneeded(struct brcmf_usbdev_info *devinfo)
/* Check if firmware downloaded already by querying runtime ID */ id.chip = cpu_to_le32(0xDEAD); - brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id)); + err = brcmf_usb_dl_cmd(devinfo, DL_GETVER, &id, sizeof(id)); + if (err) { + brcmf_err("DL_GETID Failed\n"); + return false; + }
chipid = le32_to_cpu(id.chip); chiprev = le32_to_cpu(id.chiprev);