brcmfmac: firmware: Fix crash in brcm_alt_fw_path

commit 665408f4c3a5c83e712871daa062721624b2b79e upstream.

The call to brcm_alt_fw_path in brcmf_fw_get_firmwares is not protected
by a check to the validity of the fwctx->req->board_type pointer. This
results in a crash in strlcat when, for example, the WLAN chip is found
in a USB dongle.

Prevent the crash by adding the necessary check.

See: https://github.com/raspberrypi/linux/issues/4833

Fixes: 5ff013914c62 ("brcmfmac: firmware: Allow per-board firmware binaries")
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220118154514.3245524-1-phil@raspberrypi.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
index 0eb13e5..d991409 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
@@ -693,7 +693,7 @@ int brcmf_fw_get_firmwares(struct device *dev, struct brcmf_fw_request *req,
 {
        struct brcmf_fw_item *first = &req->items[0];
        struct brcmf_fw *fwctx;
-       char *alt_path;
+       char *alt_path = NULL;
        int ret;
 
        brcmf_dbg(TRACE, "enter: dev=%s\n", dev_name(dev));
@@ -712,7 +712,9 @@ int brcmf_fw_get_firmwares(struct device *dev, struct brcmf_fw_request *req,
        fwctx->done = fw_cb;
 
        /* First try alternative board-specific path if any */
-       alt_path = brcm_alt_fw_path(first->path, fwctx->req->board_type);
+       if (fwctx->req->board_type)
+               alt_path = brcm_alt_fw_path(first->path,
+                                           fwctx->req->board_type);
        if (alt_path) {
                ret = request_firmware_nowait(THIS_MODULE, true, alt_path,
                                              fwctx->dev, GFP_KERNEL, fwctx,