From patchwork Tue Jul 25 20:07:16 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 108689 Delivered-To: patch@linaro.org Received: by 10.182.45.195 with SMTP id p3csp14385obm; Tue, 25 Jul 2017 13:07:57 -0700 (PDT) X-Received: by 10.98.14.195 with SMTP id 64mr8304350pfo.10.1501013277872; Tue, 25 Jul 2017 13:07:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1501013277; cv=none; d=google.com; s=arc-20160816; b=jtQvQKn1uSt+32Mgx0QJuO+I8lVsthvUFNZyNABCP1uqvMIRqx3pja8Shq3OU7Ri+F 11o8ZlJNKHeTsM2tfqUB8ycmuKEhc5f1803UxTXBuq+FGtflsvDeSRy8cyNAUn5UeMtS fdbpViEtuoUFwU/lKU9kotjoEkImvoGamdyUXDslOkx1ZpxQ+dyCM443NzZnXLOFAI/B 39gUlQK9wmw3He2nAtC7A+HHkG1iVqZDyegVP3yxUKsqacYHAoBPu93w1UwA61WwihaC ewWzbK5zGcqgiTWr9DZEGxIE/F/iKU/HcPHRtGmjjGBdjb7YrWsZtHixak2gqnNSkGYW Wz9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=J4hYXuuecMYyim/uoqum0fW6WndvqNgeOMZKiyWYYfc=; b=d9sL4pJszP2CY6qWJTwLBiAtdjSuzUvOMHkgOMNNID6u9sXKqXm0Mds6JU/A81n3Uk 4ujlnSuGeoLm48wjClfo3fBZ8iYAme00cc6eCCzXmJTl+LINacFF6OhjXgyUqqTQ7ZO9 ncCFe8CroqnRBWOWk/gwONrk9zU5XIqeOkgjMMBCIM6KsdRdkm3jdWatPQKxWTur2AdZ dannR4keqnA3eiZgUJjD8jUhSVUX5IOI/5lvo5Vqe+d2P5tkWhOvUrtJEktoduZOnb7o +X515tqowlfF+hvZE7/GqScSPQvnv37XD+BJCsWq8C88TE+HwT0rEpS79xvfEX4EXCfP JR+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.b=TXG755OY; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h10si8970990plk.237.2017.07.25.13.07.55; Tue, 25 Jul 2017 13:07:57 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.b=TXG755OY; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752710AbdGYUHx (ORCPT + 6 others); Tue, 25 Jul 2017 16:07:53 -0400 Received: from mail-pg0-f52.google.com ([74.125.83.52]:36932 "EHLO mail-pg0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752116AbdGYUHv (ORCPT ); Tue, 25 Jul 2017 16:07:51 -0400 Received: by mail-pg0-f52.google.com with SMTP id y129so74389844pgy.4 for ; Tue, 25 Jul 2017 13:07:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=J4hYXuuecMYyim/uoqum0fW6WndvqNgeOMZKiyWYYfc=; b=TXG755OY+fndu0yZXU5tL5OyYUg3vWR4TB3GIVBGuRQ+K1lGapXqr/BfB8ebDWOj6P BBUp4s/LhbeQqhb9z46BUyPrqHSJm9PRhZlKagsTc94QmJE1Z6DpYy+hnYLDvt1NMuh7 LNavJ17ufeD4pOZZj3T+U8Qp6NsigBRoye/OI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=J4hYXuuecMYyim/uoqum0fW6WndvqNgeOMZKiyWYYfc=; b=mh9xp4gEtbeaiTuBVz5S9kVEReJaLeyyDmAY6YLloI/LAxRMzFuwwPW4rVPVwA5b+D +1s/Ymz6NF7zXfSSofUd+pYNKZB8d8+D7TBgEglLdt7PlaVoeENfUniQe8oWqpC1CIId LIrd5sNnEjMtyo+b8f5hcgyOM8d2nHNinIIXa2zNx45XDZsYam3hWHnEkvSjWFP2GWzg MBVwQe4dYNUdHeRSnVxm+2FHbfHYTYT51odzqdffGGpbVjEC4B+SKl1CaDIJNQpFNANQ QIwGDTtp1tYJpG3WEkXfrlIejpnW5N8ibv7jJl6sngVM8f38NEy+PCX6udI6Qug2JjE5 SB3A== X-Gm-Message-State: AIVw111bDfLR9L/1fxZO3hXHEJNGxX8k25AidG6ofTsvVvnFiGL1/dXi tXK8l/JrnxnRzXNx X-Received: by 10.99.2.17 with SMTP id 17mr20193007pgc.264.1501013270409; Tue, 25 Jul 2017 13:07:50 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.235]) by smtp.gmail.com with ESMTPSA id c76sm27684356pfj.91.2017.07.25.13.07.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Jul 2017 13:07:49 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Michal Kazior , Kalle Valo Subject: [PATCH for-4.4 08/13] ath10k: fix null deref on wmi-tlv when trying spectral scan Date: Wed, 26 Jul 2017 01:37:16 +0530 Message-Id: <1501013241-31961-9-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1501013241-31961-1-git-send-email-amit.pundir@linaro.org> References: <1501013241-31961-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Michal Kazior commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream. WMI ops wrappers did not properly check for null function pointers for spectral scan. This caused null dereference crash with WMI-TLV based firmware which doesn't implement spectral scan. The crash could be triggered with: ip link set dev wlan0 up echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl The crash looked like this: [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null) [ 168.037406] IP: [< (null)>] (null) [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0 [ 168.043303] Oops: 0010 [#1] SMP [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211] [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78 [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000 [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null) ... [ 168.100620] Call Trace: [ 168.101910] [] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core] [ 168.104871] [] ? filemap_fault+0xb2/0x4a0 [ 168.106696] [] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core] [ 168.109618] [] full_proxy_write+0x51/0x80 [ 168.111443] [] __vfs_write+0x28/0x120 [ 168.113090] [] ? security_file_permission+0x3d/0xc0 [ 168.114932] [] ? percpu_down_read+0x12/0x60 [ 168.116680] [] vfs_write+0xb8/0x1a0 [ 168.118293] [] SyS_write+0x46/0xa0 [ 168.119912] [] entry_SYSCALL_64_fastpath+0x1a/0xa4 [ 168.121737] Code: Bad RIP value. [ 168.123318] RIP [< (null)>] (null) Signed-off-by: Michal Kazior Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir --- drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++ 1 file changed, 6 insertions(+) -- 2.7.4 diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h index 8f4f6a892581..cfed5808bc4e 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-ops.h +++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h @@ -639,6 +639,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath10k *ar, struct sk_buff *skb; u32 cmd_id; + if (!ar->wmi.ops->gen_vdev_spectral_conf) + return -EOPNOTSUPP; + skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg); if (IS_ERR(skb)) return PTR_ERR(skb); @@ -654,6 +657,9 @@ ath10k_wmi_vdev_spectral_enable(struct ath10k *ar, u32 vdev_id, u32 trigger, struct sk_buff *skb; u32 cmd_id; + if (!ar->wmi.ops->gen_vdev_spectral_enable) + return -EOPNOTSUPP; + skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger, enable); if (IS_ERR(skb))