Re: [syzbot] [wireless?] [usb?] UBSAN: array-index-out-of-bounds in htc_issue_send
From: Edward Adam Davis
Date: Wed Mar 20 2024 - 21:15:39 EST
please test oob in htc_issue_send
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 805ad31edba2..5d531aacedbc 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -275,6 +275,7 @@ int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,
connect.service_id = WMI_CONTROL_SVC;
ret = htc_connect_service(htc, &connect, &wmi->ctrl_epid);
+ printk("ret: %d, wmi: %p, epid: %d, %s\n", ret, wmi, wmi->ctrl_epid, __func__);
if (ret)
return ret;
@@ -304,6 +305,9 @@ static int ath9k_wmi_cmd_issue(struct wmi *wmi,
wmi->last_seq_id = wmi->tx_seq_id;
spin_unlock_irqrestore(&wmi->wmi_lock, flags);
+ printk("wmi: %p, epid: %d, %s\n", wmi, wmi->ctrl_epid, __func__);
+ if (wmi->ctrl_epid < 0 || wmi->ctrl_epid > ENDPOINT_MAX)
+ return -EINVAL;
return htc_send_epid(wmi->htc, skb, wmi->ctrl_epid);
}