CVE-2024-26897

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: delay all of ath9k_wmi_event_tasklet() until init is complete<br /> <br /> The ath9k_wmi_event_tasklet() used in ath9k_htc assumes that all the data<br /> structures have been fully initialised by the time it runs. However, because of<br /> the order in which things are initialised, this is not guaranteed to be the<br /> case, because the device is exposed to the USB subsystem before the ath9k driver<br /> initialisation is completed.<br /> <br /> We already committed a partial fix for this in commit:<br /> 8b3046abc99e ("ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet()")<br /> <br /> However, that commit only aborted the WMI_TXSTATUS_EVENTID command in the event<br /> tasklet, pairing it with an "initialisation complete" bit in the TX struct. It<br /> seems syzbot managed to trigger the race for one of the other commands as well,<br /> so let&amp;#39;s just move the existing synchronisation bit to cover the whole<br /> tasklet (setting it at the end of ath9k_htc_probe_device() instead of inside<br /> ath9k_tx_init()).