diff mbox

ath10k: fix null deref on wmi-tlv when trying spectral scan

Message ID 1479129923-11083-1-git-send-email-michal.kazior@tieto.com (mailing list archive)
State Not Applicable
Delegated to: Kalle Valo
Headers show

Commit Message

Michal Kazior Nov. 14, 2016, 1:25 p.m. UTC
WMI ops wrappers did not properly check for null
function pointers for spectral scan. This caused
null dereference crash with WMI-TLV based firmware
which doesn't implement spectral scan.

The crash could be triggered with:

  ip link set dev wlan0 up
  echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl

The crash looked like this:

  [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
  [  168.037406] IP: [<          (null)>]           (null)
  [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
  [  168.043303] Oops: 0010 [#1] SMP
  [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
  [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
  [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
  [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
  [  168.061736] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
  ...
  [  168.100620] Call Trace:
  [  168.101910]  [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
  [  168.104871]  [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
  [  168.106696]  [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
  [  168.109618]  [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
  [  168.111443]  [<ffffffff811957b8>] __vfs_write+0x28/0x120
  [  168.113090]  [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
  [  168.114932]  [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
  [  168.116680]  [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
  [  168.118293]  [<ffffffff81197966>] SyS_write+0x46/0xa0
  [  168.119912]  [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
  [  168.121737] Code:  Bad RIP value.
  [  168.123318] RIP  [<          (null)>]           (null)

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
---
 drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Kalle Valo Nov. 23, 2016, 1:56 p.m. UTC | #1
Michal Kazior <michal.kazior@tieto.com> wrote:
> WMI ops wrappers did not properly check for null
> function pointers for spectral scan. This caused
> null dereference crash with WMI-TLV based firmware
> which doesn't implement spectral scan.
> 
> The crash could be triggered with:
> 
>   ip link set dev wlan0 up
>   echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl
> 
> The crash looked like this:
> 
>   [  168.031989] BUG: unable to handle kernel NULL pointer dereference at           (null)
>   [  168.037406] IP: [<          (null)>]           (null)
>   [  168.040395] PGD cdd4067 PUD fa0f067 PMD 0
>   [  168.043303] Oops: 0010 [#1] SMP
>   [  168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
>   [  168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G        W  O    4.8.0 #78
>   [  168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
>   [  168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
>   [  168.061736] RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
>   ...
>   [  168.100620] Call Trace:
>   [  168.101910]  [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
>   [  168.104871]  [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
>   [  168.106696]  [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
>   [  168.109618]  [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
>   [  168.111443]  [<ffffffff811957b8>] __vfs_write+0x28/0x120
>   [  168.113090]  [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
>   [  168.114932]  [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
>   [  168.116680]  [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
>   [  168.118293]  [<ffffffff81197966>] SyS_write+0x46/0xa0
>   [  168.119912]  [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
>   [  168.121737] Code:  Bad RIP value.
>   [  168.123318] RIP  [<          (null)>]           (null)
> 
> Signed-off-by: Michal Kazior <michal.kazior@tieto.com>

Patch applied to ath-next branch of ath.git, thanks.

18ae68fff392 ath10k: fix null deref on wmi-tlv when trying spectral scan
diff mbox

Patch

diff --git a/drivers/net/wireless/ath/ath10k/wmi-ops.h b/drivers/net/wireless/ath/ath10k/wmi-ops.h
index c9a8bb1186f2..c7956e181f80 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
+++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
@@ -660,6 +660,9 @@  ath10k_wmi_vdev_spectral_conf(struct ath10k *ar,
 	struct sk_buff *skb;
 	u32 cmd_id;
 
+	if (!ar->wmi.ops->gen_vdev_spectral_conf)
+		return -EOPNOTSUPP;
+
 	skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg);
 	if (IS_ERR(skb))
 		return PTR_ERR(skb);
@@ -675,6 +678,9 @@  ath10k_wmi_vdev_spectral_enable(struct ath10k *ar, u32 vdev_id, u32 trigger,
 	struct sk_buff *skb;
 	u32 cmd_id;
 
+	if (!ar->wmi.ops->gen_vdev_spectral_enable)
+		return -EOPNOTSUPP;
+
 	skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger,
 						    enable);
 	if (IS_ERR(skb))