Toke Høiland-Jørgensen <toke@xxxxxxx> wrote: > Syzbot points out that skb_trim() has a sanity check on the existing length of > the skb, which can be uninitialised in some error paths. The intent here is > clearly just to reset the length to zero before resubmitting, so switch to > calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() > already contains a call to skb_reset_tail_pointer(), so remove the redundant > call. > > The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar > usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it. > > Reported-by: syzbot+98afa303be379af6cdb2@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx> > Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. 94745807f3eb wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit -- https://patchwork.kernel.org/project/linux-wireless/patch/20240812142447.12328-1-toke@xxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
