wifi: ath9k_htc: Abort software beacon handling if disabled

A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. Reported-by: Robert Morris <rtm@csail.mit.edu> Closes: https://lore.kernel.org/r/88967.1743099372@localhost Fixes: 832f6a18fc2a ("ath9k_htc: Add beacon slots") Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> Link: https://patch.msgid.link/20250402112217.58533-1-toke@toke.dk Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
author: Toke Høiland-Jørgensen <toke@toke.dk> 2025-04-02 13:22:16 +0200
committer: Jeff Johnson <jeff.johnson@oss.qualcomm.com> 2025-05-20 08:34:34 -0700
commit: ac4e317a95a1092b5da5b9918b7118759342641c (patch)
tree: b9699545a4909760b22c50936682ebc509d6a129 /drivers/net/wireless/ath
parent: 1cbc77e0bc32304f574d06c57467914c6168d413 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
index 547634f82183..81fa7cbad892 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_beacon.c
@@ -290,6 +290,9 @@ void ath9k_htc_swba(struct ath9k_htc_priv *priv,
 	struct ath_common *common = ath9k_hw_common(priv->ah);
 	int slot;
 
+	if (!priv->cur_beacon_conf.enable_beacon)
+		return;
+
 	if (swba->beacon_pending != 0) {
 		priv->beacon.bmisscnt++;
 		if (priv->beacon.bmisscnt > BSTUCK_THRESHOLD) {
author	Toke Høiland-Jørgensen <toke@toke.dk>	2025-04-02 13:22:16 +0200
committer	Jeff Johnson <jeff.johnson@oss.qualcomm.com>	2025-05-20 08:34:34 -0700
commit	ac4e317a95a1092b5da5b9918b7118759342641c (patch)
tree	b9699545a4909760b22c50936682ebc509d6a129 /drivers/net/wireless/ath
parent	1cbc77e0bc32304f574d06c57467914c6168d413 (diff)