diff mbox series

wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit

Message ID 20240812142447.12328-1-toke@toke.dk (mailing list archive)
State Accepted
Commit 94745807f3ebd379f23865e6dab196f220664179
Delegated to: Kalle Valo
Headers show
Series wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit | expand

Commit Message

Toke Høiland-Jørgensen Aug. 12, 2024, 2:24 p.m. UTC
From: Toke Høiland-Jørgensen <toke@redhat.com>

Syzbot points out that skb_trim() has a sanity check on the existing length of
the skb, which can be uninitialised in some error paths. The intent here is
clearly just to reset the length to zero before resubmitting, so switch to
calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
already contains a call to skb_reset_tail_pointer(), so remove the redundant
call.

The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.

Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

Comments

Kalle Valo Aug. 16, 2024, 10:10 a.m. UTC | #1
Toke Høiland-Jørgensen <toke@toke.dk> wrote:

> Syzbot points out that skb_trim() has a sanity check on the existing length of
> the skb, which can be uninitialised in some error paths. The intent here is
> clearly just to reset the length to zero before resubmitting, so switch to
> calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
> already contains a call to skb_reset_tail_pointer(), so remove the redundant
> call.
> 
> The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
> usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
> 
> Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com
> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>

Patch applied to ath-next branch of ath.git, thanks.

94745807f3eb wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
diff mbox series

Patch

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 0c7841f95228..a3733c9b484e 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -716,8 +716,7 @@  static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	}
 
 resubmit:
-	skb_reset_tail_pointer(skb);
-	skb_trim(skb, 0);
+	__skb_set_length(skb, 0);
 
 	usb_anchor_urb(urb, &hif_dev->rx_submitted);
 	ret = usb_submit_urb(urb, GFP_ATOMIC);
@@ -754,8 +753,7 @@  static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	case -ESHUTDOWN:
 		goto free_skb;
 	default:
-		skb_reset_tail_pointer(skb);
-		skb_trim(skb, 0);
+		__skb_set_length(skb, 0);
 
 		goto resubmit;
 	}