Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> writes:
> Fix a stack-out-of-bounds write that occurs in a WMI response callback
> function that is called after a timeout occurs in ath9k_wmi_cmd().
> The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
> could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
> 0 when a timeout occurred.
>
> Found by a modified version of syzkaller.
>
> BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
> Write of size 4
> Call Trace:
> memcpy
> ath9k_wmi_ctrl_rx
> ath9k_htc_rx_msg
> ath9k_hif_usb_reg_in_cb
> __usb_hcd_giveback_urb
> usb_hcd_giveback_urb
> dummy_timer
> call_timer_fn
> run_timer_softirq
> __do_softirq
> irq_exit_rcu
> sysvec_apic_timer_interrupt
>
> Signed-off-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
Also (Kalle, I assume you can just add this):
Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
