Unverified Commit b90aae59 authored May 09, 2024 by openeuler-ci-bot Committed by Gitee May 09, 2024

!7017 v2 net: ath9k: fix CVE-2024-26897

Merge Pull Request from: @ci-robot 
 
PR sync from: Dong Chenchen <dongchenchen2@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/CZX3AOMKCWOTNIABSMKEW5SBA45UKG2W/ 
fix CVE-2024-26897

Tetsuo Handa (1):
  ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()

Toke Høiland-Jørgensen (1):
  wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is
    complete


-- 
2.25.1
 
https://gitee.com/src-openeuler/kernel/issues/I9HK6T 
 
Link:https://gitee.com/openeuler/kernel/pulls/7017

 

Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Liu YongQiang <liuyongqiang13@huawei.com>
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>

parents 8468ee85 fdcecd92

drivers/net/wireless/ath/ath9k/htc.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -509,6 +509,7 @@ struct ath9k_htc_priv {
		unsigned long ps_usecount;
		bool ps_enabled;
		bool ps_idle;
		bool initialized;

		#ifdef CONFIG_MAC80211_LEDS
		enum led_brightness brightness;

drivers/net/wireless/ath/ath9k/htc_drv_init.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -967,6 +967,10 @@ int ath9k_htc_probe_device(struct htc_target htc_handle, struct device dev,

		htc_handle->drv_priv = priv;

		/* Allow ath9k_wmi_event_tasklet() to operate. */
		smp_wmb();
		priv->initialized = true;

		return 0;

		err_init:

drivers/net/wireless/ath/ath9k/htc_drv_txrx.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -809,6 +809,7 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
		skb_queue_head_init(&priv->tx.data_vi_queue);
		skb_queue_head_init(&priv->tx.data_vo_queue);
		skb_queue_head_init(&priv->tx.tx_failed);

		return 0;
		}

drivers/net/wireless/ath/ath9k/wmi.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -153,6 +153,12 @@ void ath9k_wmi_event_tasklet(unsigned long data)
		}
		spin_unlock_irqrestore(&wmi->wmi_lock, flags);

		/* Check if ath9k_htc_probe_device() completed. */
		if (!priv->initialized) {
		kfree_skb(skb);
		continue;
		}

		hdr = (struct wmi_cmd_hdr *) skb->data;
		cmd_id = be16_to_cpu(hdr->command_id);
		wmi_event = skb_pull(skb, sizeof(struct wmi_cmd_hdr));