linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 2/2 (RESEND)] ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()
@ 2021-09-21 13:06 Tetsuo Handa
  2021-10-02  9:29 ` Two ath9k_htc fixes Tetsuo Handa
  0 siblings, 1 reply; 3+ messages in thread
From: Tetsuo Handa @ 2021-09-21 13:06 UTC (permalink / raw)
  To: Kalle Valo, David S. Miller, Jakub Kicinski
  Cc: ath9k-devel, linux-wireless, Network Development

syzbot is reporting lockdep warning at ath9k_wmi_event_tasklet() followed
by kernel panic at get_htc_epid_queue() from ath9k_htc_tx_get_packet() from
ath9k_htc_txstatus() [1], for ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID)
depends on spin_lock_init() from ath9k_init_priv() being already completed.

Since ath9k_wmi_event_tasklet() is set by ath9k_init_wmi() from
ath9k_htc_probe_device(), it is possible that ath9k_wmi_event_tasklet() is
called via tasklet interrupt before spin_lock_init() from ath9k_init_priv()
 from ath9k_init_device() from ath9k_htc_probe_device() is called.

Let's hold ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) no-op until
ath9k_tx_init() completes.

Link: https://syzkaller.appspot.com/bug?extid=31d54c60c5b254d6f75b [1]
Reported-by: syzbot <syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Tested-by: syzbot <syzbot+31d54c60c5b254d6f75b@syzkaller.appspotmail.com>
---
 drivers/net/wireless/ath/ath9k/htc.h          | 1 +
 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 3 +++
 drivers/net/wireless/ath/ath9k/wmi.c          | 3 +++
 3 files changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
index 4f71e962279a..6b45e63fae4b 100644
--- a/drivers/net/wireless/ath/ath9k/htc.h
+++ b/drivers/net/wireless/ath/ath9k/htc.h
@@ -306,6 +306,7 @@ struct ath9k_htc_tx {
 	DECLARE_BITMAP(tx_slot, MAX_TX_BUF_NUM);
 	struct timer_list cleanup_timer;
 	spinlock_t tx_lock;
+	bool initialized;
 };
 
 struct ath9k_htc_tx_ctl {
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 0d4595ee51ba..a5240a7f8c00 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -813,6 +813,9 @@ int ath9k_tx_init(struct ath9k_htc_priv *priv)
 	skb_queue_head_init(&priv->tx.data_vi_queue);
 	skb_queue_head_init(&priv->tx.data_vo_queue);
 	skb_queue_head_init(&priv->tx.tx_failed);
+	/* Allow ath9k_wmi_event_tasklet(WMI_TXSTATUS_EVENTID) to operate. */
+	smp_wmb();
+	priv->tx.initialized = true;
 	return 0;
 }
 
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index fe29ad4b9023..7e17d86bf5d3 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -169,6 +169,9 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
 					     &wmi->drv_priv->fatal_work);
 			break;
 		case WMI_TXSTATUS_EVENTID:
+			/* Check if ath9k_tx_init() completed. */
+			if (!data_race(priv->tx.initialized))
+				break;
 			spin_lock_bh(&priv->tx.tx_lock);
 			if (priv->tx.flags & ATH9K_HTC_OP_TX_DRAIN) {
 				spin_unlock_bh(&priv->tx.tx_lock);
-- 
2.18.4

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Two ath9k_htc fixes
  2021-09-21 13:06 [PATCH 2/2 (RESEND)] ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() Tetsuo Handa
@ 2021-10-02  9:29 ` Tetsuo Handa
  2021-10-02 11:18   ` Kalle Valo
  0 siblings, 1 reply; 3+ messages in thread
From: Tetsuo Handa @ 2021-10-02  9:29 UTC (permalink / raw)
  To: David S. Miller
  Cc: ath9k-devel, linux-wireless, Network Development, Kalle Valo,
	Jakub Kicinski

Hello, David.

I don't know whether these patches can fix all races.
But since no response from ath9k maintainers/developers,
can you directly pick up these patches via your tree?

Regards.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Two ath9k_htc fixes
  2021-10-02  9:29 ` Two ath9k_htc fixes Tetsuo Handa
@ 2021-10-02 11:18   ` Kalle Valo
  0 siblings, 0 replies; 3+ messages in thread
From: Kalle Valo @ 2021-10-02 11:18 UTC (permalink / raw)
  To: Tetsuo Handa
  Cc: David S. Miller, ath9k-devel, linux-wireless,
	Network Development, Jakub Kicinski

Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> writes:

> I don't know whether these patches can fix all races.
> But since no response from ath9k maintainers/developers,
> can you directly pick up these patches via your tree?

Dave, please do not take ath9k patches. It seems that all ath9k syzbot
fixes are of questionable quality, and at least some of them have
created regressions, so they need to be tested on a real device before I
apply them. I asked for help but nobody cared, so I now need to create
an ath9k_htc test setup myself and that will take a while.

Tetsuo, the patches are on my deferred queue and you can follow the
status via patchwork:

https://patchwork.kernel.org/project/linux-wireless/list/?series=550357&state=*

-- 
https://patchwork.kernel.org/project/linux-wireless/list/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-10-02 11:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-21 13:06 [PATCH 2/2 (RESEND)] ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() Tetsuo Handa
2021-10-02  9:29 ` Two ath9k_htc fixes Tetsuo Handa
2021-10-02 11:18   ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).