Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp840809pxb;
        Sun, 12 Sep 2021 00:19:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwkfaJjYBH3hLEA2Ac+m81IMqU8NnOgQw722x50t6WhdnxzabUlR+aeRp7GbB6V4QlYwSfi
X-Received: by 2002:aa7:de14:: with SMTP id h20mr6741169edv.24.1631431169036;
        Sun, 12 Sep 2021 00:19:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631431169; cv=none;
        d=google.com; s=arc-20160816;
        b=c49HeNdpZ0AYDYCLDEMRuoAXAe+hFspu6CVZeZFLWjLdU1zpm0TlKAqErCMapq9dR0
         zqbD+mQW20xOirNPihE5f7bVtspmmBG9zm6gpCMoYQ83o/vEjw/HNbsuafccz38uv4ep
         Ie4BgAPEODQGDk3CG1Tmnzl71zaxKv7ovZMGjNvkLVKiIPHA2lYGDI91MTdOtnfC3eIJ
         SntVk4eg4xe1LXI6uUgQ1aqXvLjoN8lw76qioAh8x5quTUDn2KiANDL08LsbLq7AgPUO
         4s5xcLZVru/NNWpDBzos7GQNLnIwyB2OSF0LJOfp7u3OW6UCnN9jOlkVZCvFUpvrSchw
         i4RA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :mime-version:user-agent:date:message-id:subject:from:cc:to;
        bh=chnJXsxzmkE70hzps0JM1TZ3T4g8FsGmSHUfdSFk+vE=;
        b=i1VNqwn5s50buACpHqWUNcJcDIu6RlCiDCE40bGM3SzGrfa+gzA+HpNug+QCXuFbzn
         T42hoZxd2XSADk+GUKe22bQYvU2+TmwQTTBcBty5i3pUnJr/bifd5yvHtfhMCFX+nXYu
         Gz726UOSUKDoJj1k0RVp0KF/JeNdhiuGEFPw5kITfpbxy73rAldjCkuBZ4+ZnqVFHdzu
         MKxE7Ga810/DJWMpqmpsLGmAwEDc9Y2D3sa1t0wclrukVEdnW+DAot6p704R9uZXGand
         ZuFQCKT6p3JV64NFYv8qAZlzBNVfVg9K1FEs7CsNCTnNuC9Q9g6S11B0N+JanTOplhUV
         Ftng==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bm24si3673440edb.106.2021.09.12.00.18.52;
        Sun, 12 Sep 2021 00:19:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229783AbhILHT4 (ORCPT <rfc822;liu.airalert@gmail.com>
        + 99 others); Sun, 12 Sep 2021 03:19:56 -0400
Received: from www262.sakura.ne.jp ([202.181.97.72]:55923 "EHLO
        www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229512AbhILHTz (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Sun, 12 Sep 2021 03:19:55 -0400
Received: from fsav411.sakura.ne.jp (fsav411.sakura.ne.jp [133.242.250.110])
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 18C7IZhv008575;
        Sun, 12 Sep 2021 16:18:35 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav411.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav411.sakura.ne.jp);
 Sun, 12 Sep 2021 16:18:35 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav411.sakura.ne.jp)
Received: from [192.168.1.9] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
        (authenticated bits=0)
        by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 18C7IZDC008571
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
        Sun, 12 Sep 2021 16:18:35 +0900 (JST)
        (envelope-from penguin-kernel@i-love.sakura.ne.jp)
To:     Kalle Valo <kvalo@codeaurora.org>, ath9k-devel@qca.qualcomm.com
Cc:     linux-wireless <linux-wireless@vger.kernel.org>
From:   Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Subject: [PATCH] ath9k_htc: fix NULL pointer dereference at
 ath9k_htc_tx_get_packet()
Message-ID: <7145c55e-6b1d-d8be-57cc-6639e4e5fee2@i-love.sakura.ne.jp>
Date:   Sun, 12 Sep 2021 16:18:33 +0900
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

syzbot is reporting NULL pointer dereference at get_htc_epid_queue() from
ath9k_htc_tx_get_packet() from ath9k_htc_txstatus() [1], for
ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) depends on spin_lock_init()
 from ath9k_init_priv() being already completed.

Since ath9k_wmi_event_tasklet() is set by ath9k_init_wmi() from
ath9k_htc_probe_device(), it is possible that ath9k_wmi_event_tasklet() is
called via tasklet interrupt before spin_lock_init() from ath9k_init_priv()
 from ath9k_init_device() from ath9k_htc_probe_device() is called.

Let's hold ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) no-op until
ath9k_tx_init() completes.

Link: https://syzkaller.appspot.com/bug?extid=31d54c60c5b254d6f75b [1]
Reported-by: syzbot <syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com
---
 drivers/net/wireless/ath/ath9k/htc.h          | 1 +
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 3 +++
 drivers/net/wireless/ath/ath9k/wmi.c          | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
index 4f71e962279a..6b45e63fae4b 100644
--- a/drivers/net/wireless/ath/ath9k/htc.h
+++ b/drivers/net/wireless/ath/ath9k/htc.h
@@ -306,6 +306,7 @@ struct ath9k_htc_tx {
 	DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM);
 	struct timer_list cleanup_timer;
 	spinlock_t tx_lock;
+	bool initialized;
 };
 
 struct ath9k_htc_tx_ctl {
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 0d4595ee51ba..a5240a7f8c00 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -813,6 +813,9 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
 	skb_queue_head_init(&priv->tx.data_vi_queue);
 	skb_queue_head_init(&priv->tx.data_vo_queue);
 	skb_queue_head_init(&priv->tx.tx_failed);
+	/* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */
+	smp_wmb();
+	priv->tx.initialized = true;
 	return 0;
 }
 
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index fe29ad4b9023..7e17d86bf5d3 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -169,6 +169,9 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
 					     &wmi->drv_priv->fatal_work);
 			break;
 		case WMI_TXSTATUS_EVENTID:
+			/* Check if ath9k_tx_init() completed. */
+			if (!data_race(priv->tx.initialized))
+				break;
 			spin_lock_bh(&priv->tx.tx_lock);
 			if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) {
 				spin_unlock_bh(&priv->tx.tx_lock);
-- 
2.30.2