--- /dev/null
+From bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27 Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Sat, 19 Oct 2019 14:42:23 +0300
+Subject: ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
+
+From: Hui Peng <benquike@gmail.com>
+
+commit bfd6e6e6c5d2ee43a3d9902b36e01fc7527ebb27 upstream.
+
+The `ar_usb` field of `ath10k_usb_pipe_usb_pipe` objects
+are initialized to point to the containing `ath10k_usb` object
+according to endpoint descriptors read from the device side, as shown
+below in `ath10k_usb_setup_pipe_resources`:
+
+for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ endpoint = &iface_desc->endpoint[i].desc;
+
+ // get the address from endpoint descriptor
+ pipe_num = ath10k_usb_get_logical_pipe_num(ar_usb,
+ endpoint->bEndpointAddress,
+ &urbcount);
+ ......
+ // select the pipe object
+ pipe = &ar_usb->pipes[pipe_num];
+
+ // initialize the ar_usb field
+ pipe->ar_usb = ar_usb;
+}
+
+The driver assumes that the addresses reported in endpoint
+descriptors from device side to be complete. If a device is
+malicious and does not report complete addresses, it may trigger
+NULL-ptr-deref `ath10k_usb_alloc_urb_from_pipe` and
+`ath10k_usb_free_urb_to_pipe`.
+
+This patch fixes the bug by preventing potential NULL-ptr-deref.
+
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[groeck: Add driver tag to subject, fix build warning]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/usb.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/usb.c
++++ b/drivers/net/wireless/ath/ath10k/usb.c
+@@ -49,6 +49,10 @@ ath10k_usb_alloc_urb_from_pipe(struct at
+ struct ath10k_urb_context *urb_context = NULL;
+ unsigned long flags;
+
++ /* bail if this pipe is not initialized */
++ if (!pipe->ar_usb)
++ return NULL;
++
+ spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+ if (!list_empty(&pipe->urb_list_head)) {
+ urb_context = list_first_entry(&pipe->urb_list_head,
+@@ -66,6 +70,10 @@ static void ath10k_usb_free_urb_to_pipe(
+ {
+ unsigned long flags;
+
++ /* bail if this pipe is not initialized */
++ if (!pipe->ar_usb)
++ return;
++
+ spin_lock_irqsave(&pipe->ar_usb->cs_lock, flags);
+
+ pipe->urb_cnt++;
--- /dev/null
+From 80e84f36412e0c5172447b6947068dca0d04ee82 Mon Sep 17 00:00:00 2001
+From: Denis Efremov <efremov@linux.com>
+Date: Fri, 27 Sep 2019 01:56:04 +0300
+Subject: ath9k_hw: fix uninitialized variable data
+
+From: Denis Efremov <efremov@linux.com>
+
+commit 80e84f36412e0c5172447b6947068dca0d04ee82 upstream.
+
+Currently, data variable in ar9003_hw_thermo_cal_apply() could be
+uninitialized if ar9300_otp_read_word() will fail to read the value.
+Initialize data variable with 0 to prevent an undefined behavior. This
+will be enough to handle error case when ar9300_otp_read_word() fails.
+
+Fixes: 80fe43f2bbd5 ("ath9k_hw: Read and configure thermocal for AR9462")
+Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
+Cc: John W. Linville <linville@tuxdriver.com>
+Cc: Kalle Valo <kvalo@codeaurora.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Efremov <efremov@linux.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -4183,7 +4183,7 @@ static void ar9003_hw_thermometer_apply(
+
+ static void ar9003_hw_thermo_cal_apply(struct ath_hw *ah)
+ {
+- u32 data, ko, kg;
++ u32 data = 0, ko, kg;
+
+ if (!AR_SREV_9462_20_OR_LATER(ah))
+ return;
projects / thirdparty / kernel / stable-queue.git / commitdiff
