CVE-2022-50709

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: avoid uninit memory read in ath9khtcrx_msg()

syzbot is reporting uninit value at ath9khtcrxmsg() [1], for ioctl(USBRAWIOCTLEPWRITE) can call ath9khifusbrxstream() with pktlen = 0 but ath9khifusbrxstream() uses __devallocskb(pktlen + 32, GFPATOMIC) based on an assumption that pktlen is valid. As a result, ath9khifusbrxstream() allocates skb with uninitialized memory and ath9khtcrxmsg() is reading from uninitialized memory.

Since bytes accessed by ath9khtcrxmsg() is not known until ath9khtcrxmsg() is called, it would be difficult to check minimal valid pktlen at "if (pktlen > 2 * MAXRXBUFSIZE) {" line in ath9khifusbrx_stream().

We have two choices. One is to workaround by adding _GFPZERO so that ath9khtcrxmsg() sees 0 if pktlen is invalid. The other is to let ath9khtcrxmsg() validate pktlen before accessing. This patch chose the latter.

Note that I'm not sure threshold condition is correct, for I can't find details on possible packet length used by this protocol.