From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Michal Kazior <michal.kazior@tieto.com>,
Kalle Valo <kvalo@qca.qualcomm.com>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.9 031/105] ath10k: fix null deref on wmi-tlv when trying spectral scan
Date: Fri, 4 Aug 2017 16:14:59 -0700 [thread overview]
Message-ID: <20170804231553.788647214@linuxfoundation.org> (raw)
In-Reply-To: <20170804231551.544678194@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Kazior <michal.kazior@tieto.com>
commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.
WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.
The crash could be triggered with:
ip link set dev wlan0 up
echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl
The crash looked like this:
[ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 168.037406] IP: [< (null)>] (null)
[ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0
[ 168.043303] Oops: 0010 [#1] SMP
[ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
[ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78
[ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
[ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
[ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
...
[ 168.100620] Call Trace:
[ 168.101910] [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
[ 168.104871] [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
[ 168.106696] [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
[ 168.109618] [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
[ 168.111443] [<ffffffff811957b8>] __vfs_write+0x28/0x120
[ 168.113090] [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
[ 168.114932] [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
[ 168.116680] [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
[ 168.118293] [<ffffffff81197966>] SyS_write+0x46/0xa0
[ 168.119912] [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 168.121737] Code: Bad RIP value.
[ 168.123318] RIP [< (null)>] (null)
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
+++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
@@ -660,6 +660,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath
struct sk_buff *skb;
u32 cmd_id;
+ if (!ar->wmi.ops->gen_vdev_spectral_conf)
+ return -EOPNOTSUPP;
+
skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg);
if (IS_ERR(skb))
return PTR_ERR(skb);
@@ -675,6 +678,9 @@ ath10k_wmi_vdev_spectral_enable(struct a
struct sk_buff *skb;
u32 cmd_id;
+ if (!ar->wmi.ops->gen_vdev_spectral_enable)
+ return -EOPNOTSUPP;
+
skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger,
enable);
if (IS_ERR(skb))
next prev parent reply other threads:[~2017-08-04 23:17 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-04 23:14 [PATCH 4.9 000/105] 4.9.41-stable review Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 001/105] af_key: Add lock to key dump Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 002/105] pstore: Make spinlock per zone instead of global Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 003/105] net: reduce skb_warn_bad_offload() noise Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 004/105] jfs: Dont clear SGID when inheriting ACLs Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 006/105] ALSA: hda - Add missing NVIDIA GPU codec IDs to patch table Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 007/105] parisc: Prevent TLB speculation on flushed pages on CPUs that only support equivalent aliases Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 008/105] parisc: Extend disabled preemption in copy_user_page Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 009/105] parisc: Suspend lockup detectors before system halt Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 010/105] powerpc/pseries: Fix of_node_put() underflow during reconfig remove Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 011/105] NFS: invalidate file size when taking a lock Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 012/105] NFSv4.1: Fix a race where CB_NOTIFY_LOCK fails to wake a waiter Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 013/105] crypto: authencesn - Fix digest_null crash Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 014/105] KVM: PPC: Book3S HV: Enable TM before accessing TM registers Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 015/105] md/raid5: add thread_group worker async_tx_issue_pending_all Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 016/105] drm/vmwgfx: Fix gcc-7.1.1 warning Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 017/105] drm/nouveau/disp/nv50-: bump max chans to 21 Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 018/105] drm/nouveau/bar/gf100: fix access to upper half of BAR2 Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 019/105] KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 020/105] KVM: PPC: Book3S HV: Save/restore host values of debug registers Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 021/105] Revert "powerpc/numa: Fix percpu allocations to be NUMA aware" Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 022/105] Staging: comedi: comedi_fops: Avoid orphaned proc entry Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 023/105] drm: rcar-du: Simplify and fix probe error handling Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 024/105] smp/hotplug: Move unparking of percpu threads to the control CPU Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 025/105] smp/hotplug: Replace BUG_ON and react useful Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 026/105] nfc: Fix hangup of RC-S380* in port100_send_ack() Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 027/105] nfc: fdp: fix NULL pointer dereference Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 028/105] net: phy: Do not perform software reset for Generic PHY Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 029/105] isdn: Fix a sleep-in-atomic bug Greg Kroah-Hartman
2017-08-04 23:14 ` [PATCH 4.9 030/105] isdn/i4l: fix buffer overflow Greg Kroah-Hartman
2017-08-04 23:14 ` Greg Kroah-Hartman [this message]
2017-08-04 23:15 ` [PATCH 4.9 032/105] wil6210: fix deadlock when using fw_no_recovery option Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 033/105] mailbox: always wait in mbox_send_message for blocking Tx mode Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 034/105] mailbox: skip complete wait event if timer expired Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 035/105] mailbox: handle empty message in tx_tick Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 036/105] sched/cgroup: Move sched_online_group() back into css_online() to fix crash Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 037/105] RDMA/uverbs: Fix the check for port number Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 038/105] ipmi/watchdog: fix watchdog timeout set on reboot Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 039/105] dentry name snapshots Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 040/105] [media] v4l: s5c73m3: fix negation operator Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 041/105] pstore: Allow prz to control need for locking Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 042/105] pstore: Correctly initialize spinlock and flags Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 043/105] pstore: Use dynamic spinlock initializer Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 044/105] net: skb_needs_check() accepts CHECKSUM_NONE for tx Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 045/105] device-dax: fix sysfs duplicate warnings Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 046/105] x86/mce/AMD: Make the init code more robust Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 047/105] r8169: add support for RTL8168 series add-on card Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 048/105] ARM: omap2+: fixing wrong strcat for Non-NULL terminated string Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 049/105] dt-bindings: power/supply: Update TPS65217 properties Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 050/105] dt-bindings: input: Specify the interrupt number of TPS65217 power button Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 051/105] ARM: dts: am57xx-idk: Put USB2 port in peripheral mode Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 053/105] net/mlx5: Disable RoCE on the e-switch management port under switchdev mode Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 054/105] ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 055/105] net/mlx4_core: Use-after-free causes a resource leak in flow-steering detach Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 056/105] net/mlx4: Remove BUG_ON from ICM allocation routine Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 057/105] net/mlx4_core: Fix raw qp flow steering rules under SRIOV Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 058/105] drm/msm: Ensure that the hardware write pointer is valid Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 059/105] drm/msm: Put back the vaddr in submit_reloc() Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 060/105] drm/msm: Verify that MSM_SUBMIT_BO_FLAGS are set Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 061/105] vfio-pci: use 32-bit comparisons for register address for gcc-4.5 Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 062/105] irqchip/keystone: Fix "scheduling while atomic" on rt Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 063/105] ASoC: tlv320aic3x: Mark the RESET register as volatile Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 064/105] spi: dw: Make debugfs name unique between instances Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 065/105] ASoC: nau8825: fix invalid configuration in Pre-Scalar of FLL Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 066/105] irqchip/mxs: Enable SKIP_SET_WAKE and MASK_ON_SUSPEND Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 067/105] openrisc: Add _text symbol to fix ksym build error Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 068/105] dmaengine: ioatdma: Add Skylake PCI Dev ID Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 069/105] dmaengine: ioatdma: workaround SKX ioatdma version Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 070/105] l2tp: consider :: as wildcard address in l2tp_ip6 socket lookup Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 071/105] dmaengine: ti-dma-crossbar: Add some of_node_put() in error path Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 072/105] usb: dwc3: omap: fix race of pm runtime with irq handler in probe Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 073/105] ARM64: zynqmp: Fix W=1 dtc 1.4 warnings Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 075/105] perf probe: Fix to get correct modname from elf header Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 076/105] ARM: s3c2410_defconfig: Fix invalid values for NF_CT_PROTO_* Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 077/105] ACPI / scan: Prefer devices without _HID/_CID for _ADR matching Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 078/105] usb: gadget: Fix copy/pasted error message Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 079/105] Btrfs: use down_read_nested to make lockdep silent Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 080/105] Btrfs: fix lockdep warning about log_mutex Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 081/105] benet: stricter vxlan offloading check in be_features_check Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 082/105] Btrfs: adjust outstanding_extents counter properly when dio write is split Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 083/105] Xen: ARM: Zero reserved fields of xatp before making hypervisor call Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 084/105] tools lib traceevent: Fix prev/next_prio for deadline tasks Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 085/105] xfrm: Dont use sk_family for socket policy lookups Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 086/105] perf tools: Install tools/lib/traceevent plugins with install-bin Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 087/105] perf symbols: Robustify reading of build-id from sysfs Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 088/105] video: fbdev: cobalt_lcdfb: Handle return NULL error from devm_ioremap Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 089/105] vfio-pci: Handle error from pci_iomap Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 090/105] arm64: mm: fix show_pte KERN_CONT fallout Greg Kroah-Hartman
2017-08-04 23:15 ` [PATCH 4.9 091/105] nvmem: imx-ocotp: Fix wrong register size Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 092/105] net: usb: asix_devices: add .reset_resume for USB PM Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 093/105] ASoC: fsl_ssi: set fifo watermark to more reliable value Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 094/105] sh_eth: enable RX descriptor word 0 shift on SH7734 Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 095/105] ARCv2: IRQ: Call entry/exit functions for chained handlers in MCIP Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 096/105] ALSA: usb-audio: test EP_FLAG_RUNNING at urb completion Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 097/105] x86/platform/intel-mid: Rename spidev to mrfld_spidev Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 098/105] perf/x86: Set pmu->module in Intel PMU modules Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 099/105] ASoC: Intel: bytcr-rt5640: fix settings in internal clock mode Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 100/105] HID: ignore Petzl USB headlamp Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 101/105] scsi: fnic: Avoid sending reset to firmware when another reset is in progress Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 102/105] scsi: snic: Return error code on memory allocation failure Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 103/105] scsi: bfa: Increase requested firmware version to 3.2.5.1 Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 104/105] ASoC: Intel: Skylake: Release FW ctx in cleanup Greg Kroah-Hartman
2017-08-04 23:16 ` [PATCH 4.9 105/105] ASoC: dpcm: Avoid putting stream state to STOP when FE stream is paused Greg Kroah-Hartman
2017-08-05 1:51 ` [PATCH 4.9 000/105] 4.9.41-stable review Shuah Khan
2017-08-05 2:41 ` Greg Kroah-Hartman
2017-08-05 2:53 ` Randy Dunlap
2017-08-05 2:54 ` Randy Dunlap
2017-08-05 3:06 ` Greg Kroah-Hartman
2017-08-05 6:15 ` Guenter Roeck
2017-08-05 14:48 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170804231553.788647214@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=kvalo@qca.qualcomm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=michal.kazior@tieto.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).