Re: [syzbot] divide error in ath9k_htc_swba

[Pavel Skripkin <paskripkin@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

On Fri, 18 Jun 2021 02:25:22 -0700
syzbot <syzbot+90d241d7661ca2493f0b@syzkaller.appspotmail.com> wrote:

> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    37fdb7c9 Merge tag 'v5.13-rc6' into usb-next
> git tree:
> https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
> usb-testing console output:
> https://syzkaller.appspot.com/x/log.txt?x=1702bbebd00000 kernel
> config:  https://syzkaller.appspot.com/x/.config?x=e3b6ba4f6e6c6ddf
> dashboard link:
> https://syzkaller.appspot.com/bug?extid=90d241d7661ca2493f0b syz
> repro:
> https://syzkaller.appspot.com/x/repro.syz?x=113b98b8300000 C
> reproducer:   https://syzkaller.appspot.com/x/repro.c?x=134650f7d00000
> 
> IMPORTANT: if you fix the issue, please add the following tag to the
> commit: Reported-by:
> syzbot+90d241d7661ca2493f0b@syzkaller.appspotmail.com

 
#syz test
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master





With regards,
Pavel Skripkin

[-- Attachment #2: 0001-net-wireless-ath9k-fix-divide-error.patch --]
[-- Type: text/x-patch, Size: 1976 bytes --]

From d9a4de91e4752866c78019fbeadaa471543550a5 Mon Sep 17 00:00:00 2001
From: Pavel Skripkin <paskripkin@gmail.com>
Date: Fri, 18 Jun 2021 13:29:27 +0300
Subject: [PATCH] net: wireless: ath9k: fix divide error

/* ---- */

Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 drivers/net/wireless/ath/ath9k/htc.h          | 1 +
 drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 ++
 drivers/net/wireless/ath/ath9k/wmi.c          | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h
index 0a1634238e67..1aaacdcda7ea 100644
--- a/drivers/net/wireless/ath/ath9k/htc.h
+++ b/drivers/net/wireless/ath/ath9k/htc.h
@@ -532,6 +532,7 @@ struct ath9k_htc_priv {
 #endif
 	struct mutex mutex;
 	struct ieee80211_vif *csa_vif;
+	atomic_t initialized;
 };
 
 static inline void ath_read_cachesize(struct ath_common *common, int *csz)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index ff61ae34ecdf..c3288bb07137 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -965,6 +965,8 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev,
 	if (ret)
 		goto err_init;
 
+	atomic_set(&priv->initialized, 1);
+
 	return 0;
 
 err_init:
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index fe29ad4b9023..a5f31ee86f04 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -146,6 +146,12 @@ void ath9k_wmi_event_tasklet(struct tasklet_struct *t)
 	unsigned long flags;
 	u16 cmd_id;
 
+	if (!atomic_read(&priv->initialized))
+		/* If tasked has been called with uninitalized ath9k_htc_priv,
+		 * it can cause divide-by-zero error in ath9k_htc_swba
+		 */
+		return;
+
 	do {
 		spin_lock_irqsave(&wmi->wmi_lock, flags);
 		skb = __skb_dequeue(&wmi->wmi_event_queue);
-- 
2.32.0