Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5223C61DA4 for ; Mon, 13 Mar 2023 17:08:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231451AbjCMRID (ORCPT ); Mon, 13 Mar 2023 13:08:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230301AbjCMRHe (ORCPT ); Mon, 13 Mar 2023 13:07:34 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 684527C9CA for ; Mon, 13 Mar 2023 10:06:41 -0700 (PDT) Received: from fpc (unknown [10.10.165.12]) by mail.ispras.ru (Postfix) with ESMTPSA id 0A45740737B5; Mon, 13 Mar 2023 17:05:33 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 0A45740737B5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1678727133; bh=dcathSfQ23gltzgIcKInyh+BoofN73T1rgTJq8y09tA=; h=Date:From:To:Cc:Subject:From; b=FndkBetmxL5iQh8xaXh1ZE66A88W7l3plkm8S6/Ffg6q/F0kNgDYgzTmxpWkjMnH/ SWZzs54UnLogZ05MpgOiwMlN6GkbrVF57E0ZsuPCz24Iv49KecaQZVzEREYpG5PZ+q 8gY5saeeYgRMvvmjSJD3uzHlPwK6yiRdazTnFyRM= Date: Mon, 13 Mar 2023 20:05:28 +0300 From: Fedor Pchelkin To: syzbot+df61b36319e045c00a08@syzkaller.appspotmail.com Cc: syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [syzbot] [wireless?] KMSAN: uninit-value in ath9k_hw_init Message-ID: <20230313170124.dcko4zbkpsnxnbws@fpc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org #syz test: https://github.com/google/kmsan.git master --- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c @@ -259,7 +259,7 @@ static void ath9k_multi_regread(void *hw_priv, u32 *addr, struct ath_common *common = ath9k_hw_common(ah); struct ath9k_htc_priv *priv = (struct ath9k_htc_priv *) common->priv; __be32 tmpaddr[8]; - __be32 tmpval[8]; + __be32 tmpval[8] = {0}; int i, ret; for (i = 0; i < count; i++) { --- a/drivers/net/wireless/ath/ath9k/wmi.c +++ b/drivers/net/wireless/ath/ath9k/wmi.c @@ -204,8 +204,13 @@ static void ath9k_wmi_rsp_callback(struct wmi *wmi, struct sk_buff *skb) { skb_pull(skb, sizeof(struct wmi_cmd_hdr)); + if (unlikely(skb->len < wmi->cmd_rsp_len)) + return; + if (wmi->cmd_rsp_buf != NULL && wmi->cmd_rsp_len != 0) memcpy(wmi->cmd_rsp_buf, skb->data, wmi->cmd_rsp_len); + else + return; complete(&wmi->cmd_wait); } @@ -221,6 +226,9 @@ static void ath9k_wmi_ctrl_rx(void *priv, struct sk_buff *skb, if (unlikely(wmi->stopped)) goto free_skb; + if (unlikely(skb->len < sizeof(struct wmi_cmd_hdr))) + goto free_skb; + hdr = (struct wmi_cmd_hdr *) skb->data; cmd_id = be16_to_cpu(hdr->command_id); @@ -308,8 +316,11 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, unsigned long time_left; int ret = 0; - if (ah->ah_flags & AH_UNPLUGGED) - return 0; + if (ah->ah_flags & AH_UNPLUGGED) { + ath_dbg(common, WMI, "Device unplugged for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); + return -ENODEV; + } skb = alloc_skb(headroom + cmd_len, GFP_ATOMIC); if (!skb) @@ -342,15 +353,22 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", wmi_cmd_to_name(cmd_id)); wmi->last_seq_id = 0; + wmi->cmd_rsp_buf = NULL; + wmi->cmd_rsp_len = 0; mutex_unlock(&wmi->op_mutex); return -ETIMEDOUT; } + wmi->cmd_rsp_buf = NULL; + wmi->cmd_rsp_len = 0; + mutex_unlock(&wmi->op_mutex); return 0; out: + wmi->cmd_rsp_buf = NULL; + wmi->cmd_rsp_len = 0; ath_dbg(common, WMI, "WMI failure for: %s\n", wmi_cmd_to_name(cmd_id)); mutex_unlock(&wmi->op_mutex); kfree_skb(skb); --