[ath-current] wifi: ath11k: fix NULL pointer dereference in ath11k_hal_srng_access_begin
Rameshkumar Sundaram
rameshkumar.sundaram at oss.qualcomm.com
Tue Jun 9 22:46:54 PDT 2026
On 6/9/2026 2:36 PM, Gaole Zhang wrote:
> In ATH11K_QMI_EVENT_FW_READY, ATH11K_FLAG_REGISTERED is set
> unconditionally even when ath11k_core_qmi_firmware_ready() fails.
> This leaves the driver in an inconsistent state where
> initialization is considered complete although the firmware ready
> handling did not finish successfully. During the subsequent SSR,
> the driver enters the restart path based on this incorrect state
> and dereferences uninitialized srng members, resulting in a NULL
> pointer dereference.
>
> Call trace:
> ath11k_hal_srng_access_begin+0xc/0x60 [ath11k] (P)
> ath11k_ce_cleanup_pipes+0x17c/0x180 [ath11k]
> ath11k_core_restart+0x40/0x168 [ath11k]
>
> Fix this by:
> - skipping firmware_ready if ATH11K_FLAG_REGISTERED is already set
> - setting ATH11K_FLAG_REGISTERED only when firmware_ready succeeds
> - setting ATH11K_FLAG_QMI_FAIL and aborting the FW_READY handling
> on error
>
> Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.2.0.c2-00204-QCAMSLSWPLZ-1
>
> Fixes: 6fe62a8cec51c ("wifi: ath11k: Add cold boot calibration support on WCN6750")
> Signed-off-by: Gaole Zhang <gaole.zhang at oss.qualcomm.com>
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram at oss.qualcomm.com>
More information about the ath11k
mailing list