On 2022/02/09 0:48, Pavel Skripkin wrote: >> ath9k_htc_suspend() >> ath9k_htc_resume() >> ath9k_hif_usb_disconnect() >> >> What guarantees that none of these will be called midway through >> ath9k_htc_probe_device() (which would lead to a NULL deref after this >> change)? >> > > IIUC, situation you are talking about may happen even without my change. > I was thinking, that ath9k_htc_probe_device() is the real ->probe() function, but things look a bit more tricky. > > > So, the ->probe() function may be completed before ath9k_htc_probe_device() > is called, because it's called from fw loader callback function. Yes, ath9k_hif_usb_probe() may return before complete_all(&hif_dev->fw_done) is called by ath9k_hif_usb_firmware_cb() or ath9k_hif_usb_firmware_fail(). > If ->probe() is completed, than we can call ->suspend(), ->resume() and > others usb callbacks, right? Yes, but ath9k_hif_usb_disconnect() and ath9k_hif_usb_suspend() are calling wait_for_completion(&hif_dev->fw_done) before checking HIF_USB_READY flag. hif_dev->fw_done serves for serialization. > And we can meet NULL defer even if we leave drv_priv = priv initialization > on it's place. I didn't catch the location. As long as "htc_handle->drv_priv = priv;" is done before complete_all(&hif_dev->fw_done) is done, is something wrong? > > Please, correct me if I am wrong somewhere :)
