Toke Høiland-Jørgensen <toke@xxxxxxx> wrote:
> The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data
> structures have been fully initialised by the time it runs. However, because of
> the order in which things are initialised, this is not guaranteed to be the
> case, because the device is exposed to the USB subsystem before the ath9k driver
> initialisation is completed.
>
> We already committed a partial fix for this in commit:
> 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")
>
> However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event
> tasklet, pairing it with an "initialisation complete" bit in the TX struct. It
> seems syzbot managed to trigger the race for one of the other commands as well,
> so let's just move the existing synchronisation bit to cover the whole
> tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside
> ath9k_tx_init()).
>
> Link: https://lore.kernel.org/r/ed1d2c66-1193-4c81-9542-d514c29ba8b8.bugreport@xxxxxxxxxxxxxx
> Fixes: 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")
> Reported-by: Ubisectech Sirius <bugreport@xxxxxxxxxxxxxx>
> Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
Patch applied to ath-next branch of ath.git, thanks.
24355fcb0d4c wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete
--
https://patchwork.kernel.org/project/linux-wireless/patch/20240126140218.1033443-1-toke@xxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
