From patchwork Tue Jul 25 19:29:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 108670 Delivered-To: patch@linaro.org Received: by 10.140.101.44 with SMTP id t41csp939343qge; Tue, 25 Jul 2017 12:29:39 -0700 (PDT) X-Received: by 10.99.125.11 with SMTP id y11mr20508232pgc.19.1501010979615; Tue, 25 Jul 2017 12:29:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501010979; cv=none; d=google.com; s=arc-20160816; b=LfrGUgHUWujW858lv8NyRKnNGVrwe9NfxJX0e1qPvWKiYAnp9zydik163hA9wPFerX ySsxVr6uJjXv5llWMMpaLzkni41h6MHN2suNRsDHrIaDD6ZWKISkM28Aa4+TdvqEPcjn pp91uPqrPnhZ92py2bR+h3fzAsax6Rj7AL9PMpt3PFb9/oRBOHunUbev1yj9JVMOYh72 P0iosbLF+Yu34OtZRe5GNOuiQpNHNoZEgkpa6H56o0pre/Hnev/77EBAHjLjz+XFKvSN B59EGBTMmf2DUaonJkBnSpWEAwu209otFD8tNR+b0HQAYiTXMTZR2RDLua17NK0qVrFr XYOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=orUC9GYZjjXBkv7fcR5tA6PQt+kQUpHqnM6k8/HTT94=; b=LReYlbaInkbO5/inpj8bkfu83SD7/9BhzJP0fpbPc77lf7kydUc19TBFNtk+emG2qN 8Vp8O85BpCRdi0ia+Ix1s4CEtJdfE43K/DEl7WVTLP+kMsBfBdpH01Kj9UtX+pXhIamO VLe8yaYNPU5aIEmS3SoJu7ilB/G7qJFx0mtyBSxnMbkvAXU8FGpMy+nbLwtUd5uitSps sGPZxobO0mrHJhDGKJ4ThtVgl0WpPgDS/nqzYeG2Mbbf8OPQTfkA8OGXKjWbKQ0jAlv3 8mJl1cxjAhNLk3tSbmgrIyV3EY6xWg7693nWMA4LQ0LrNCisroZkfj5VL87kczAv5o/k oMzg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.b=E8jeCcBh; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o129si8605553pga.543.2017.07.25.12.29.39; Tue, 25 Jul 2017 12:29:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.b=E8jeCcBh; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751965AbdGYT3h (ORCPT + 6 others); Tue, 25 Jul 2017 15:29:37 -0400 Received: from mail-pg0-f45.google.com ([74.125.83.45]:36761 "EHLO mail-pg0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754362AbdGYT3g (ORCPT ); Tue, 25 Jul 2017 15:29:36 -0400 Received: by mail-pg0-f45.google.com with SMTP id 125so74110140pgi.3 for ; Tue, 25 Jul 2017 12:29:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=orUC9GYZjjXBkv7fcR5tA6PQt+kQUpHqnM6k8/HTT94=; b=E8jeCcBhDRbxmJ7CtYxq0+tsXyWQAKErzkxn3YT+6M5RG6KYu2pJvR/Aup6bV3KzBk fPmgdes/Wewy7u2Q8Ik21aoOBWLrJq60P6Y2gCINQ4eqTWdkMIV87GF6WCc0RLF8VQWr 3ZiOPW81CWANW+TsEX95X4V5x9wx6knwIxIhY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=orUC9GYZjjXBkv7fcR5tA6PQt+kQUpHqnM6k8/HTT94=; b=eHcsuqAZEQjelxSY4XNwOGDVj9Dw3RCBAfJRxRuqtN3nySygqUQvO2c2fkD80CpXxB a5D/MVBDOb88VzXXi4f5oZ2EJPtyRHIoKPUk+JOQeSLq/Q9MKD9MZdQnJsMzGuZ37IyK byROHp3u484tpkLAhNCS6j8HHZZU57UafSrSCjaf46x+1gvVNP99JwgWbWvylcsxKyCt rhX2kMHcTPOMKHJHEikjRjkAS09EbSJetvNJSk36tTtjCJAcLNdhBjXsJQ+rTjpFwzVv Ptv0BeLdOY8E/Brhmh64vqZukOU8XDPBzrpzgoL/eIsC84Pf9sI1a76JGkJO/yyMVKnB dlmA== X-Gm-Message-State: AIVw113RJq0GccRg/KtVP6pxxDmn/uBDf2FVjEj+N8iE/zsTWcDsyQpp WKCGH6MITJHInlDrzduAJw== X-Received: by 10.84.151.3 with SMTP id i3mr22359465pli.377.1501010975399; Tue, 25 Jul 2017 12:29:35 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.235]) by smtp.gmail.com with ESMTPSA id 85sm30371425pfr.90.2017.07.25.12.29.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Jul 2017 12:29:34 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Michal Kazior , Kalle Valo Subject: [PATCH for-4.9 05/10] ath10k: fix null deref on wmi-tlv when trying spectral scan Date: Wed, 26 Jul 2017 00:59:11 +0530 Message-Id: <1501010956-27944-6-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501010956-27944-1-git-send-email-amit.pundir@linaro.org> References: <1501010956-27944-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michal Kazior commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream. WMI ops wrappers did not properly check for null function pointers for spectral scan. This caused null dereference crash with WMI-TLV based firmware which doesn't implement spectral scan. The crash could be triggered with: ip link set dev wlan0 up echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl The crash looked like this: [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null) [ 168.037406] IP: [< (null)>] (null) [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0 [ 168.043303] Oops: 0010 [#1] SMP [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211] [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78 [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000 [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null) ... [ 168.100620] Call Trace: [ 168.101910] [] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core] [ 168.104871] [] ? filemap_fault+0xb2/0x4a0 [ 168.106696] [] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core] [ 168.109618] [] full_proxy_write+0x51/0x80 [ 168.111443] [] __vfs_write+0x28/0x120 [ 168.113090] [] ? security_file_permission+0x3d/0xc0 [ 168.114932] [] ? percpu_down_read+0x12/0x60 [ 168.116680] [] vfs_write+0xb8/0x1a0 [ 168.118293] [] SyS_write+0x46/0xa0 [ 168.119912] [] entry_SYSCALL_64_fastpath+0x1a/0xa4 [ 168.121737] Code: Bad RIP value. [ 168.123318] RIP [< (null)>] (null) Signed-off-by: Michal Kazior Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir --- drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++ 1 file changed, 6 insertions(+) -- 2.7.4 diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h index c9a8bb1186f2..c7956e181f80 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-ops.h +++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h @@ -660,6 +660,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath10k *ar, struct sk_buff *skb; u32 cmd_id; + if (!ar->wmi.ops->gen_vdev_spectral_conf) + return -EOPNOTSUPP; + skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg); if (IS_ERR(skb)) return PTR_ERR(skb); @@ -675,6 +678,9 @@ ath10k_wmi_vdev_spectral_enable(struct ath10k *ar, u32 vdev_id, u32 trigger, struct sk_buff *skb; u32 cmd_id; + if (!ar->wmi.ops->gen_vdev_spectral_enable) + return -EOPNOTSUPP; + skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger, enable); if (IS_ERR(skb))