Commit 8e089e7b authored Apr 22, 2025 by Wentao Liang Committed by Johannes Berg Apr 23, 2025

wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()



The function brcmf_usb_dl_writeimage() calls the function
brcmf_usb_dl_cmd() but dose not check its return value. The
'state.state' and the 'state.bytes' are uninitialized if the
function brcmf_usb_dl_cmd() fails. It is dangerous to use
uninitialized variables in the conditions.

Add error handling for brcmf_usb_dl_cmd() to jump to error
handling path if the brcmf_usb_dl_cmd() fails and the
'state.state' and the 'state.bytes' are uninitialized.

Improve the error message to report more detailed error
information.

Fixes: 71bb244b ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Cc: stable@vger.kernel.org # v3.4+
Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Link: https://patch.msgid.link/20250422042203.2259-1-vulab@iscas.ac.cn


Signed-off-by: Johannes Berg <johannes.berg@intel.com>

parent 0fb15ae3

drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -896,14 +896,16 @@ brcmf_usb_dl_writeimage(struct brcmf_usbdev_info devinfo, u8 fw, int fwlen)
		}

		/* 1) Prepare USB boot loader for runtime image */
		brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state));
		err = brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state));
		if (err)
		goto fail;

		rdlstate = le32_to_cpu(state.state);
		rdlbytes = le32_to_cpu(state.bytes);

		/* 2) Check we are in the Waiting state */
		if (rdlstate != DL_WAITING) {
		brcmf_err("Failed to DL_START\n");
		brcmf_err("Invalid DL state: %u\n", rdlstate);
		err = -EINVAL;
		goto fail;
		}