From 1813c9ad091f98f6823343e79c4b191374960799 Mon Sep 17 00:00:00 2001
From: Russ Meyerriecks <rmeyerriecks@digium.com>
Date: Fri, 22 Jul 2011 17:56:07 +0000
Subject: [PATCH] wcb4xxp: Prevent null pointer dereference on spanconfig

In the rare case where spanconfig is called while there is pending data
on the hdlc channel, the hdlc_getbuf interrupt could try to read from
the hdlc buffer before the channel was fully setup. This could
potentially result in a null pointer dereference. This condition has
existed since the creation of the wcb4xxp driver.

Signed-off-by: Russ Meyerriecks <rmeyerriecks@digium.com>
Signed-off-by: Shaun Ruffell <sruffell@digium.com>

git-svn-id: http://svn.asterisk.org/svn/dahdi/linux/trunk@10079 a0bf4364-ded3-4de4-8d8a-66a801d63aff
---
 drivers/dahdi/wcb4xxp/base.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dahdi/wcb4xxp/base.c b/drivers/dahdi/wcb4xxp/base.c
index 4842440..b8f7f1d 100644
--- a/drivers/dahdi/wcb4xxp/base.c
+++ b/drivers/dahdi/wcb4xxp/base.c
@@ -2375,6 +2375,9 @@ b4xxp_chanconfig(struct file *file, struct dahdi_chan *chan, int sigtype)
 
 		if (alreadyrunning && bspan->sigchan) {
 			hdlc_stop(b4, fifo);
+			atomic_set(&bspan->hdlc_pending, 0);
+			bspan->sigactive = 0;
+			smp_mb();
 			bspan->sigchan = NULL;
 		}