| Message ID | 20240812142447.12328-1-toke@toke.dk |
|---|---|
| State | New |
| Headers | show |
| Series | wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit | expand |
Toke Høiland-Jørgensen <toke@toke.dk> wrote: > Syzbot points out that skb_trim() has a sanity check on the existing length of > the skb, which can be uninitialised in some error paths. The intent here is > clearly just to reset the length to zero before resubmitting, so switch to > calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() > already contains a call to skb_reset_tail_pointer(), so remove the redundant > call. > > The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar > usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. > > Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com > Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-next branch of ath.git, thanks. 94745807f3eb wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 0c7841f95228..a3733c9b484e 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -716,8 +716,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb) } resubmit: - skb_reset_tail_pointer(skb); - skb_trim(skb, 0); + __skb_set_length(skb, 0); usb_anchor_urb(urb, &hif_dev->rx_submitted); ret = usb_submit_urb(urb, GFP_ATOMIC); @@ -754,8 +753,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) case -ESHUTDOWN: goto free_skb; default: - skb_reset_tail_pointer(skb); - skb_trim(skb, 0); + __skb_set_length(skb, 0); goto resubmit; }