[lvc-project] On #syz test glitch
Dmitry Antipov
dmantipov at yandex.ru
Fri Oct 25 08:52:54 MSK 2024
Recently I've sent the following:
To: syzbot+93cbd5fbb85814306ba1 at syzkaller.appspotmail.com
From: Dmitry Antipov <dmantipov at yandex.ru>
Subject: Re: UBSAN: array-index-out-of-bounds in htc_issue_send
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next eaed5fc0c322d75cfcdbc7a16c0c5023d9e4f6fe
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..a5bc0a5dfe7c 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -294,6 +294,9 @@ int htc_connect_service(struct htc_target *target,
return -ETIMEDOUT;
}
+ if (unlikely(target->conn_rsp_epid == ENDPOINT_UNUSED))
+ return -ENODEV;
+
*conn_rsp_epid = target->conn_rsp_epid;
return 0;
err:
And this is what I'm seeing at https://syzkaller.appspot.com/text?tag=Patch&x=10caa8a7980000:
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index eb631fd3336d..a5bc0a5dfe7c 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -294,6 +294,9 @@ int htc_connect_service(struct htc_target *target,
return -ETIMEDOUT;
}
Since the patch is truncated, it can't be applied and the rest of the pipeline is obviously broken.
Why this is so, and how should I handle this?
Thanks,
Dmitry
More information about the lvc-project
mailing list