[linux] 01/01: ath9k: fix NULL pointer dereference (Closes: #851621)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Jan 17 04:01:38 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit c6b1f1b2b1e4c2e602eb1d5f77efada14e34e53c
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Jan 17 03:47:58 2017 +0000

    ath9k: fix NULL pointer dereference (Closes: #851621)
---
 debian/changelog                                   |  1 +
 .../all/ath9k-fix-null-pointer-dereference.patch   | 77 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 79 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9efc37f..54c7cf3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -238,6 +238,7 @@ linux (4.9.4-1) UNRELEASED; urgency=medium
   * [armel,armhf,s390x,x86] linux-headers: Fix regression of multilib compiler
     support (Closes: #851481)
   * nbd: use loff_t for blocksize and nbd_set_size args (Closes: #851533)
+  * ath9k: fix NULL pointer dereference (Closes: #851621)
 
   [ Salvatore Bonaccorso ]
   * sysctl: Drop reference added by grab_header in proc_sys_readdir
diff --git a/debian/patches/bugfix/all/ath9k-fix-null-pointer-dereference.patch b/debian/patches/bugfix/all/ath9k-fix-null-pointer-dereference.patch
new file mode 100644
index 0000000..77891b4
--- /dev/null
+++ b/debian/patches/bugfix/all/ath9k-fix-null-pointer-dereference.patch
@@ -0,0 +1,77 @@
+From: Miaoqing Pan <miaoqing at codeaurora.org>
+Date: Wed, 16 Nov 2016 17:23:08 +0800
+Subject: ath9k: fix NULL pointer dereference
+Origin: https://git.kernel.org/linus/40bea976c72b9ee60f8d097852deb53ccbeaffbe
+Bug-Debian: https://bugs.debian.org/851621
+
+relay_open() may return NULL, check the return value to avoid the crash.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
+IP: [<ffffffffa01a95c5>] ath_cmn_process_fft+0xd5/0x700 [ath9k_common]
+PGD 41cf28067 PUD 41be92067 PMD 0
+Oops: 0000 [#1] SMP
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.6+ #35
+Hardware name: Hewlett-Packard h8-1080t/2A86, BIOS 6.15    07/04/2011
+task: ffffffff81e0c4c0 task.stack: ffffffff81e00000
+RIP: 0010:[<ffffffffa01a95c5>] [<ffffffffa01a95c5>] ath_cmn_process_fft+0xd5/0x700 [ath9k_common]
+RSP: 0018:ffff88041f203ca0 EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 000000000000059f RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000040 RDI: ffffffff81f0ca98
+RBP: ffff88041f203dc8 R08: ffffffffffffffff R09: 00000000000000ff
+R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+R13: ffffffff81f0ca98 R14: 0000000000000000 R15: 0000000000000000
+FS:  0000000000000000(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000040 CR3: 000000041b6ec000 CR4: 00000000000006f0
+Stack:
+0000000000000363 00000000000003f3 00000000000003f3 00000000000001f9
+000000000000049a 0000000001252c04 ffff88041f203e44 ffff880417b4bfd0
+0000000000000008 ffff88041785b9c0 0000000000000002 ffff88041613dc60
+
+Call Trace:
+<IRQ>
+[<ffffffffa01b6441>] ath9k_tasklet+0x1b1/0x220 [ath9k]
+[<ffffffff8105d8dd>] tasklet_action+0x4d/0xf0
+[<ffffffff8105dde2>] __do_softirq+0x92/0x2a0
+
+Reported-by: Devin Tuchsen <devin.tuchsen at gmail.com>
+Tested-by: Devin Tuchsen <devin.tuchsen at gmail.com>
+Signed-off-by: Miaoqing Pan <miaoqing at codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo at qca.qualcomm.com>
+---
+ drivers/net/wireless/ath/ath9k/common-spectral.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/common-spectral.c b/drivers/net/wireless/ath/ath9k/common-spectral.c
+index e2512d5bc0e1..eedf86b67cf5 100644
+--- a/drivers/net/wireless/ath/ath9k/common-spectral.c
++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c
+@@ -528,6 +528,9 @@ int ath_cmn_process_fft(struct ath_spec_scan_priv *spec_priv, struct ieee80211_h
+ 	if (!(radar_info->pulse_bw_info & SPECTRAL_SCAN_BITMASK))
+ 		return 0;
+ 
++	if (!spec_priv->rfs_chan_spec_scan)
++		return 1;
++
+ 	/* Output buffers are full, no need to process anything
+ 	 * since there is no space to put the result anyway
+ 	 */
+@@ -1072,7 +1075,7 @@ static struct rchan_callbacks rfs_spec_scan_cb = {
+ 
+ void ath9k_cmn_spectral_deinit_debug(struct ath_spec_scan_priv *spec_priv)
+ {
+-	if (IS_ENABLED(CONFIG_ATH9K_DEBUGFS)) {
++	if (IS_ENABLED(CONFIG_ATH9K_DEBUGFS) && spec_priv->rfs_chan_spec_scan) {
+ 		relay_close(spec_priv->rfs_chan_spec_scan);
+ 		spec_priv->rfs_chan_spec_scan = NULL;
+ 	}
+@@ -1086,6 +1089,9 @@ void ath9k_cmn_spectral_init_debug(struct ath_spec_scan_priv *spec_priv,
+ 					    debugfs_phy,
+ 					    1024, 256, &rfs_spec_scan_cb,
+ 					    NULL);
++	if (!spec_priv->rfs_chan_spec_scan)
++		return;
++
+ 	debugfs_create_file("spectral_scan_ctl",
+ 			    S_IRUSR | S_IWUSR,
+ 			    debugfs_phy, spec_priv,
diff --git a/debian/patches/series b/debian/patches/series
index 7db06bf..63dc380 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -65,6 +65,7 @@ bugfix/all/ext4-fix-bug-838544.patch
 bugfix/all/mm-memcontrol-use-special-workqueue-for-creating-per-memcg-caches.patch
 bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/nbd-use-loff_t-for-blocksize-and-nbd_set_size-args.patch
+bugfix/all/ath9k-fix-null-pointer-dereference.patch
 
 # Miscellaneous features
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list