[PATCH 4.4 27/91] ath10k: fix null deref on wmi-tlv when trying spectral scan

From: Greg Kroah-Hartman
Date: Fri Aug 04 2017 - 19:57:30 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.4 25/91] isdn: Fix a sleep-in-atomic bug"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 30/91] mailbox: skip complete wait event if timer expired"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 30/91] mailbox: skip complete wait event if timer expired"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 25/91] isdn: Fix a sleep-in-atomic bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michal Kazior <michal.kazior@xxxxxxxxx>

commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.

WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

ip link set dev wlan0 up
echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

[ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 168.037406] IP: [< (null)>] (null)
[ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0
[ 168.043303] Oops: 0010 [#1] SMP
[ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
[ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78
[ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
[ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
...
[ 168.100620] Call Trace:
[ 168.101910] [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
[ 168.104871] [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
[ 168.106696] [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
[ 168.109618] [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
[ 168.111443] [<ffffffff811957b8>] __vfs_write+0x28/0x120
[ 168.113090] [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
[ 168.114932] [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
[ 168.116680] [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
[ 168.118293] [<ffffffff81197966>] SyS_write+0x46/0xa0
[ 168.119912] [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 168.121737] Code: Bad RIP value.
[ 168.123318] RIP [< (null)>] (null)

Signed-off-by: Michal Kazior <michal.kazior@xxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxxxx>
Signed-off-by: Amit Pundir <amit.pundir@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
+++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
@@ -639,6 +639,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath
struct sk_buff *skb;
u32 cmd_id;

+ if (!ar->wmi.ops->gen_vdev_spectral_conf)
+ return -EOPNOTSUPP;
+
skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg);
if (IS_ERR(skb))
return PTR_ERR(skb);
@@ -654,6 +657,9 @@ ath10k_wmi_vdev_spectral_enable(struct a
struct sk_buff *skb;
u32 cmd_id;

+ if (!ar->wmi.ops->gen_vdev_spectral_enable)
+ return -EOPNOTSUPP;
+
skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger,
enable);
if (IS_ERR(skb))

Next message: Greg Kroah-Hartman: "[PATCH 4.4 25/91] isdn: Fix a sleep-in-atomic bug"
Previous message: Greg Kroah-Hartman: "[PATCH 4.4 30/91] mailbox: skip complete wait event if timer expired"
In reply to: Greg Kroah-Hartman: "[PATCH 4.4 30/91] mailbox: skip complete wait event if timer expired"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.4 25/91] isdn: Fix a sleep-in-atomic bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]