AI Trajectory


Trajectory: (Expand/Collapse All)
Seq Timestamp Type Name Duration
0/0 2026/06/30 16:11 flow patch-triage
1m Args:
null

Results:
{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch performs a non-functional API replacement, switching from page allocator functions (e.g., get_zeroed_page, __get_free_pages) to slab allocator functions (kzalloc, kmalloc) across several network and wireless drivers. This does not alter the execution flow or core logic. Additionally, most of the modified drivers (bnx2x, ice, sfc, b43, wlcore) are for specific physical hardware (PCI/SDIO) that is not emulated in virtualized environments like QEMU, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

1/1 2026/06/30 16:11 action read-patch-diff
0m Args:
null

Results:
{
  "PatchDiff": "commit fe3f37d03454092e2180b596cb2e7381390ab35c\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate:   Tue Jun 30 16:11:13 2026 +0000\n\n    syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c\nindex 07a908a2c72f25..d560524d317d98 100644\n--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c\n+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c\n@@ -26,6 +26,7 @@\n #include \u003clinux/netdevice.h\u003e\n #include \u003clinux/etherdevice.h\u003e\n #include \u003clinux/crc32c.h\u003e\n+#include \u003clinux/slab.h\u003e\n #include \"bnx2x.h\"\n #include \"bnx2x_cmn.h\"\n #include \"bnx2x_sp.h\"\n@@ -2664,7 +2665,7 @@ static void bnx2x_free_groups(struct list_head *mcast_group_list)\n \t\t\t\t      struct bnx2x_mcast_elem_group,\n \t\t\t\t      mcast_group_link);\n \t\tlist_del(\u0026current_mcast_group-\u003emcast_group_link);\n-\t\tfree_page((unsigned long)current_mcast_group);\n+\t\tkfree(current_mcast_group);\n \t}\n }\n \n@@ -2713,8 +2714,7 @@ static int bnx2x_mcast_enqueue_cmd(struct bnx2x *bp,\n \t\t\t\ttotal_elems = BNX2X_MCAST_BINS_NUM;\n \t\t}\n \t\twhile (total_elems \u003e 0) {\n-\t\t\telem_group = (struct bnx2x_mcast_elem_group *)\n-\t\t\t\t     __get_free_page(GFP_ATOMIC | __GFP_ZERO);\n+\t\t\telem_group = kzalloc(PAGE_SIZE, GFP_ATOMIC);\n \t\t\tif (!elem_group) {\n \t\t\t\tbnx2x_free_groups(\u0026new_cmd-\u003egroup_head);\n \t\t\t\tkfree(new_cmd);\ndiff --git a/drivers/net/ethernet/intel/ice/ice_gnss.c b/drivers/net/ethernet/intel/ice/ice_gnss.c\nindex 8fd954f1ebd675..7d21c3417b0b27 100644\n--- a/drivers/net/ethernet/intel/ice/ice_gnss.c\n+++ b/drivers/net/ethernet/intel/ice/ice_gnss.c\n@@ -2,6 +2,7 @@\n /* Copyright (C) 2021-2022, Intel Corporation. */\n \n #include \"ice.h\"\n+#include \u003clinux/slab.h\u003e\n #include \"ice_lib.h\"\n \n /**\n@@ -124,7 +125,7 @@ static void ice_gnss_read(struct kthread_work *work)\n \n \tdata_len = min_t(typeof(data_len), data_len, PAGE_SIZE);\n \n-\tbuf = (char *)get_zeroed_page(GFP_KERNEL);\n+\tbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf) {\n \t\terr = -ENOMEM;\n \t\tgoto requeue;\n@@ -151,7 +152,7 @@ static void ice_gnss_read(struct kthread_work *work)\n \t\t\t count, i);\n \tdelay = ICE_GNSS_TIMER_DELAY_TIME;\n free_buf:\n-\tfree_page((unsigned long)buf);\n+\tkfree(buf);\n requeue:\n \tkthread_queue_delayed_work(gnss-\u003ekworker, \u0026gnss-\u003eread_work, delay);\n \tif (err)\ndiff --git a/drivers/net/ethernet/sfc/mcdi.c b/drivers/net/ethernet/sfc/mcdi.c\nindex e65db9b707244a..b806d3d90c42e6 100644\n--- a/drivers/net/ethernet/sfc/mcdi.c\n+++ b/drivers/net/ethernet/sfc/mcdi.c\n@@ -7,6 +7,7 @@\n #include \u003clinux/delay.h\u003e\n #include \u003clinux/moduleparam.h\u003e\n #include \u003clinux/atomic.h\u003e\n+#include \u003clinux/slab.h\u003e\n #include \"net_driver.h\"\n #include \"nic.h\"\n #include \"io.h\"\n@@ -71,7 +72,7 @@ int efx_mcdi_init(struct efx_nic *efx)\n \tmcdi-\u003eefx = efx;\n #ifdef CONFIG_SFC_MCDI_LOGGING\n \t/* consuming code assumes buffer is page-sized */\n-\tmcdi-\u003elogging_buffer = (char *)__get_free_page(GFP_KERNEL);\n+\tmcdi-\u003elogging_buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!mcdi-\u003elogging_buffer)\n \t\tgoto fail1;\n \tmcdi-\u003elogging_enabled = mcdi_logging_default;\n@@ -112,7 +113,7 @@ int efx_mcdi_init(struct efx_nic *efx)\n \treturn 0;\n fail2:\n #ifdef CONFIG_SFC_MCDI_LOGGING\n-\tfree_page((unsigned long)mcdi-\u003elogging_buffer);\n+\tkfree(mcdi-\u003elogging_buffer);\n fail1:\n #endif\n \tkfree(efx-\u003emcdi);\n@@ -138,7 +139,7 @@ void efx_mcdi_fini(struct efx_nic *efx)\n \t\treturn;\n \n #ifdef CONFIG_SFC_MCDI_LOGGING\n-\tfree_page((unsigned long)efx-\u003emcdi-\u003eiface.logging_buffer);\n+\tkfree(efx-\u003emcdi-\u003eiface.logging_buffer);\n #endif\n \n \tkfree(efx-\u003emcdi);\ndiff --git a/drivers/net/ethernet/sfc/siena/mcdi.c b/drivers/net/ethernet/sfc/siena/mcdi.c\nindex 4d0d6bd5d3d116..048c1e6017c0a5 100644\n--- a/drivers/net/ethernet/sfc/siena/mcdi.c\n+++ b/drivers/net/ethernet/sfc/siena/mcdi.c\n@@ -7,6 +7,7 @@\n #include \u003clinux/delay.h\u003e\n #include \u003clinux/moduleparam.h\u003e\n #include \u003clinux/atomic.h\u003e\n+#include \u003clinux/slab.h\u003e\n #include \"net_driver.h\"\n #include \"nic.h\"\n #include \"io.h\"\n@@ -73,7 +74,7 @@ int efx_siena_mcdi_init(struct efx_nic *efx)\n \tmcdi-\u003eefx = efx;\n #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING\n \t/* consuming code assumes buffer is page-sized */\n-\tmcdi-\u003elogging_buffer = (char *)__get_free_page(GFP_KERNEL);\n+\tmcdi-\u003elogging_buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!mcdi-\u003elogging_buffer)\n \t\tgoto fail1;\n \tmcdi-\u003elogging_enabled = efx_siena_mcdi_logging_default;\n@@ -116,7 +117,7 @@ int efx_siena_mcdi_init(struct efx_nic *efx)\n \treturn 0;\n fail2:\n #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING\n-\tfree_page((unsigned long)mcdi-\u003elogging_buffer);\n+\tkfree(mcdi-\u003elogging_buffer);\n fail1:\n #endif\n \tkfree(efx-\u003emcdi);\n@@ -142,7 +143,7 @@ void efx_siena_mcdi_fini(struct efx_nic *efx)\n \t\treturn;\n \n #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING\n-\tfree_page((unsigned long)efx-\u003emcdi-\u003eiface.logging_buffer);\n+\tkfree(efx-\u003emcdi-\u003eiface.logging_buffer);\n #endif\n \n \tkfree(efx-\u003emcdi);\ndiff --git a/drivers/net/wireless/broadcom/b43/debugfs.c b/drivers/net/wireless/broadcom/b43/debugfs.c\nindex acddae68947aa4..31a1ff00c1a459 100644\n--- a/drivers/net/wireless/broadcom/b43/debugfs.c\n+++ b/drivers/net/wireless/broadcom/b43/debugfs.c\n@@ -495,7 +495,6 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,\n \tssize_t ret;\n \tchar *buf;\n \tconst size_t bufsize = 1024 * 16; /* 16 kiB buffer */\n-\tconst size_t buforder = get_order(bufsize);\n \tint err = 0;\n \n \tif (!count)\n@@ -518,15 +517,14 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,\n \tdfile = fops_to_dfs_file(dev, dfops);\n \n \tif (!dfile-\u003ebuffer) {\n-\t\tbuf = (char *)__get_free_pages(GFP_KERNEL, buforder);\n+\t\tbuf = kzalloc(bufsize, GFP_KERNEL);\n \t\tif (!buf) {\n \t\t\terr = -ENOMEM;\n \t\t\tgoto out_unlock;\n \t\t}\n-\t\tmemset(buf, 0, bufsize);\n \t\tret = dfops-\u003eread(dev, buf, bufsize);\n \t\tif (ret \u003c= 0) {\n-\t\t\tfree_pages((unsigned long)buf, buforder);\n+\t\t\tkfree(buf);\n \t\t\terr = ret;\n \t\t\tgoto out_unlock;\n \t\t}\n@@ -538,7 +536,7 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,\n \t\t\t\t      dfile-\u003ebuffer,\n \t\t\t\t      dfile-\u003edata_len);\n \tif (*ppos \u003e= dfile-\u003edata_len) {\n-\t\tfree_pages((unsigned long)dfile-\u003ebuffer, buforder);\n+\t\tkfree(dfile-\u003ebuffer);\n \t\tdfile-\u003ebuffer = NULL;\n \t\tdfile-\u003edata_len = 0;\n \t}\n@@ -577,7 +575,7 @@ static ssize_t b43_debugfs_write(struct file *file,\n \t\tgoto out_unlock;\n \t}\n \n-\tbuf = (char *)get_zeroed_page(GFP_KERNEL);\n+\tbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf) {\n \t\terr = -ENOMEM;\n \t\tgoto out_unlock;\n@@ -591,7 +589,7 @@ static ssize_t b43_debugfs_write(struct file *file,\n \t\tgoto out_freepage;\n \n out_freepage:\n-\tfree_page((unsigned long)buf);\n+\tkfree(buf);\n out_unlock:\n \tmutex_unlock(\u0026dev-\u003ewl-\u003emutex);\n \ndiff --git a/drivers/net/wireless/broadcom/b43legacy/debugfs.c b/drivers/net/wireless/broadcom/b43legacy/debugfs.c\nindex 3ad99124d52279..42cce5e0402d5c 100644\n--- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c\n+++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c\n@@ -192,7 +192,6 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,\n \tssize_t ret;\n \tchar *buf;\n \tconst size_t bufsize = 1024 * 16; /* 16 KiB buffer */\n-\tconst size_t buforder = get_order(bufsize);\n \tint err = 0;\n \n \tif (!count)\n@@ -215,7 +214,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,\n \tdfile = fops_to_dfs_file(dev, dfops);\n \n \tif (!dfile-\u003ebuffer) {\n-\t\tbuf = (char *)__get_free_pages(GFP_KERNEL, buforder);\n+\t\tbuf = kmalloc(bufsize, GFP_KERNEL);\n \t\tif (!buf) {\n \t\t\terr = -ENOMEM;\n \t\t\tgoto out_unlock;\n@@ -228,7 +227,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,\n \t\t} else\n \t\t\tret = dfops-\u003eread(dev, buf, bufsize);\n \t\tif (ret \u003c= 0) {\n-\t\t\tfree_pages((unsigned long)buf, buforder);\n+\t\t\tkfree(buf);\n \t\t\terr = ret;\n \t\t\tgoto out_unlock;\n \t\t}\n@@ -240,7 +239,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,\n \t\t\t\t      dfile-\u003ebuffer,\n \t\t\t\t      dfile-\u003edata_len);\n \tif (*ppos \u003e= dfile-\u003edata_len) {\n-\t\tfree_pages((unsigned long)dfile-\u003ebuffer, buforder);\n+\t\tkfree(dfile-\u003ebuffer);\n \t\tdfile-\u003ebuffer = NULL;\n \t\tdfile-\u003edata_len = 0;\n \t}\n@@ -279,7 +278,7 @@ static ssize_t b43legacy_debugfs_write(struct file *file,\n \t\tgoto out_unlock;\n \t}\n \n-\tbuf = (char *)get_zeroed_page(GFP_KERNEL);\n+\tbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf) {\n \t\terr = -ENOMEM;\n \t\tgoto out_unlock;\n@@ -298,7 +297,7 @@ static ssize_t b43legacy_debugfs_write(struct file *file,\n \t\tgoto out_freepage;\n \n out_freepage:\n-\tfree_page((unsigned long)buf);\n+\tkfree(buf);\n out_unlock:\n \tmutex_unlock(\u0026dev-\u003ewl-\u003emutex);\n \ndiff --git a/drivers/net/wireless/marvell/libertas/debugfs.c b/drivers/net/wireless/marvell/libertas/debugfs.c\nindex 9ebd691349400f..9428f954837a10 100644\n--- a/drivers/net/wireless/marvell/libertas/debugfs.c\n+++ b/drivers/net/wireless/marvell/libertas/debugfs.c\n@@ -35,8 +35,7 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,\n {\n \tstruct lbs_private *priv = file-\u003eprivate_data;\n \tsize_t pos = 0;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tssize_t res;\n \tif (!buf)\n \t\treturn -ENOMEM;\n@@ -48,7 +47,7 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,\n \n \tres = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn res;\n }\n \n@@ -96,8 +95,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,\n \tssize_t ret;\n \tsize_t pos = 0;\n \tstruct sleep_params sp;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf)\n \t\treturn -ENOMEM;\n \n@@ -113,7 +111,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,\n \tret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \n out_unlock:\n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -165,8 +163,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,\n \tstruct lbs_private *priv = file-\u003eprivate_data;\n \tssize_t ret;\n \tsize_t pos = 0;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf)\n \t\treturn -ENOMEM;\n \n@@ -174,7 +171,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,\n \n \tret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -228,7 +225,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,\n \tu8 freq;\n \tint events = 0;\n \n-\tbuf = (char *)get_zeroed_page(GFP_KERNEL);\n+\tbuf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf)\n \t\treturn -ENOMEM;\n \n@@ -261,7 +258,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,\n \tkfree(subscribed);\n \n  out_page:\n-\tfree_page((unsigned long)buf);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -436,8 +433,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,\n \tstruct lbs_private *priv = file-\u003eprivate_data;\n \tssize_t pos = 0;\n \tint ret;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tu32 val = 0;\n \n \tif (!buf)\n@@ -450,7 +446,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,\n \t\t\t\tpriv-\u003emac_offset, val);\n \t\tret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \t}\n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -506,8 +502,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,\n \tstruct lbs_private *priv = file-\u003eprivate_data;\n \tssize_t pos = 0;\n \tint ret;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tu32 val;\n \n \tif (!buf)\n@@ -520,7 +515,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,\n \t\t\t\tpriv-\u003ebbp_offset, val);\n \t\tret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \t}\n-\tfree_page(addr);\n+\tkfree(buf);\n \n \treturn ret;\n }\n@@ -578,8 +573,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,\n \tstruct lbs_private *priv = file-\u003eprivate_data;\n \tssize_t pos = 0;\n \tint ret;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tu32 val;\n \n \tif (!buf)\n@@ -592,7 +586,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,\n \t\t\t\tpriv-\u003erf_offset, val);\n \t\tret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);\n \t}\n-\tfree_page(addr);\n+\tkfree(buf);\n \n \treturn ret;\n }\n@@ -812,8 +806,7 @@ static ssize_t lbs_debugfs_read(struct file *file, char __user *userbuf,\n \tchar *p;\n \tint i;\n \tstruct debug_data *d;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!buf)\n \t\treturn -ENOMEM;\n \n@@ -836,7 +829,7 @@ static ssize_t lbs_debugfs_read(struct file *file, char __user *userbuf,\n \n \tres = simple_read_from_buffer(userbuf, count, ppos, p, pos);\n \n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn res;\n }\n \ndiff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c\nindex 9deaf59dcb625e..573768b6ad9125 100644\n--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c\n+++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c\n@@ -6,6 +6,7 @@\n  */\n \n #include \u003clinux/debugfs.h\u003e\n+#include \u003clinux/slab.h\u003e\n \n #include \"main.h\"\n #include \"11n.h\"\n@@ -67,8 +68,8 @@ mwifiex_info_read(struct file *file, char __user *ubuf,\n \tstruct net_device *netdev = priv-\u003enetdev;\n \tstruct netdev_hw_addr *ha;\n \tstruct netdev_queue *txq;\n-\tunsigned long page = get_zeroed_page(GFP_KERNEL);\n-\tchar *p = (char *) page, fmt[64];\n+\tchar *page = kzalloc(PAGE_SIZE, GFP_KERNEL);\n+\tchar *p = page, fmt[64];\n \tstruct mwifiex_bss_info info;\n \tssize_t ret;\n \tint i = 0;\n@@ -133,11 +134,10 @@ mwifiex_info_read(struct file *file, char __user *ubuf,\n \t}\n \tp += sprintf(p, \"\\n\");\n \n-\tret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,\n-\t\t\t\t      (unsigned long) p - page);\n+\tret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);\n \n free_and_exit:\n-\tfree_page(page);\n+\tkfree(page);\n \treturn ret;\n }\n \n@@ -168,8 +168,8 @@ mwifiex_getlog_read(struct file *file, char __user *ubuf,\n {\n \tstruct mwifiex_private *priv =\n \t\t(struct mwifiex_private *) file-\u003eprivate_data;\n-\tunsigned long page = get_zeroed_page(GFP_KERNEL);\n-\tchar *p = (char *) page;\n+\tchar *page = kzalloc(PAGE_SIZE, GFP_KERNEL);\n+\tchar *p = page;\n \tssize_t ret;\n \tstruct mwifiex_ds_get_stats stats;\n \n@@ -220,11 +220,10 @@ mwifiex_getlog_read(struct file *file, char __user *ubuf,\n \t\t     stats.bcn_miss_cnt);\n \n \n-\tret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,\n-\t\t\t\t      (unsigned long) p - page);\n+\tret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);\n \n free_and_exit:\n-\tfree_page(page);\n+\tkfree(page);\n \treturn ret;\n }\n \n@@ -247,8 +246,8 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,\n \tssize_t ret;\n \tstruct mwifiex_histogram_data *phist_data;\n \tint i, value;\n-\tunsigned long page = get_zeroed_page(GFP_KERNEL);\n-\tchar *p = (char *)page;\n+\tchar *page = kzalloc(PAGE_SIZE, GFP_KERNEL);\n+\tchar *p = page;\n \n \tif (!p)\n \t\treturn -ENOMEM;\n@@ -309,11 +308,10 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,\n \t\t\t\ti, value);\n \t}\n \n-\tret = simple_read_from_buffer(ubuf, count, ppos, (char *)page,\n-\t\t\t\t      (unsigned long)p - page);\n+\tret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);\n \n free_and_exit:\n-\tfree_page(page);\n+\tkfree(page);\n \treturn ret;\n }\n \n@@ -383,8 +381,8 @@ mwifiex_debug_read(struct file *file, char __user *ubuf,\n {\n \tstruct mwifiex_private *priv =\n \t\t(struct mwifiex_private *) file-\u003eprivate_data;\n-\tunsigned long page = get_zeroed_page(GFP_KERNEL);\n-\tchar *p = (char *) page;\n+\tchar *page = kzalloc(PAGE_SIZE, GFP_KERNEL);\n+\tchar *p = page;\n \tssize_t ret;\n \n \tif (!p)\n@@ -396,11 +394,10 @@ mwifiex_debug_read(struct file *file, char __user *ubuf,\n \n \tp += mwifiex_debug_info_to_buffer(priv, p, \u0026info);\n \n-\tret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,\n-\t\t\t\t      (unsigned long) p - page);\n+\tret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);\n \n free_and_exit:\n-\tfree_page(page);\n+\tkfree(page);\n \treturn ret;\n }\n \n@@ -457,8 +454,7 @@ mwifiex_regrdwr_read(struct file *file, char __user *ubuf,\n {\n \tstruct mwifiex_private *priv =\n \t\t(struct mwifiex_private *) file-\u003eprivate_data;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *) addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tint pos = 0, ret = 0;\n \tu32 reg_value;\n \n@@ -497,7 +493,7 @@ mwifiex_regrdwr_read(struct file *file, char __user *ubuf,\n \tret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);\n \n done:\n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -511,8 +507,7 @@ mwifiex_debug_mask_read(struct file *file, char __user *ubuf,\n {\n \tstruct mwifiex_private *priv =\n \t\t(struct mwifiex_private *)file-\u003eprivate_data;\n-\tunsigned long page = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)page;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tsize_t ret = 0;\n \tint pos = 0;\n \n@@ -523,7 +518,7 @@ mwifiex_debug_mask_read(struct file *file, char __user *ubuf,\n \t\t\tpriv-\u003eadapter-\u003edebug_mask);\n \tret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);\n \n-\tfree_page(page);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -652,8 +647,7 @@ mwifiex_memrw_read(struct file *file, char __user *ubuf,\n \t\t   size_t count, loff_t *ppos)\n {\n \tstruct mwifiex_private *priv = (void *)file-\u003eprivate_data;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tint ret, pos = 0;\n \n \tif (!buf)\n@@ -663,7 +657,7 @@ mwifiex_memrw_read(struct file *file, char __user *ubuf,\n \t\t\tpriv-\u003emem_rw.value);\n \tret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);\n \n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -719,8 +713,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,\n {\n \tstruct mwifiex_private *priv =\n \t\t(struct mwifiex_private *) file-\u003eprivate_data;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *) addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tint pos, ret, i;\n \tu8 value[MAX_EEPROM_DATA];\n \n@@ -749,7 +742,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,\n done:\n \tret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);\n out_free:\n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \n@@ -820,8 +813,7 @@ mwifiex_hscfg_read(struct file *file, char __user *ubuf,\n \t\t   size_t count, loff_t *ppos)\n {\n \tstruct mwifiex_private *priv = (void *)file-\u003eprivate_data;\n-\tunsigned long addr = get_zeroed_page(GFP_KERNEL);\n-\tchar *buf = (char *)addr;\n+\tchar *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tint pos, ret;\n \tstruct mwifiex_ds_hs_cfg hscfg;\n \n@@ -836,7 +828,7 @@ mwifiex_hscfg_read(struct file *file, char __user *ubuf,\n \n \tret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);\n \n-\tfree_page(addr);\n+\tkfree(buf);\n \treturn ret;\n }\n \ndiff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c\nindex be583ae331c03b..5595f7a1fc0c36 100644\n--- a/drivers/net/wireless/ti/wlcore/main.c\n+++ b/drivers/net/wireless/ti/wlcore/main.c\n@@ -6354,7 +6354,6 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\n \tstruct ieee80211_hw *hw;\n \tstruct wl1271 *wl;\n \tint i, j, ret;\n-\tunsigned int order;\n \n \thw = ieee80211_alloc_hw(sizeof(*wl), \u0026wl1271_ops);\n \tif (!hw) {\n@@ -6434,8 +6433,7 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\n \tmutex_init(\u0026wl-\u003eflush_mutex);\n \tinit_completion(\u0026wl-\u003envs_loading_complete);\n \n-\torder = get_order(aggr_buf_size);\n-\twl-\u003eaggr_buf = (u8 *)__get_free_pages(GFP_KERNEL, order);\n+\twl-\u003eaggr_buf = kmalloc(round_up(aggr_buf_size, PAGE_SIZE), GFP_KERNEL);\n \tif (!wl-\u003eaggr_buf) {\n \t\tret = -ENOMEM;\n \t\tgoto err_wq;\n@@ -6449,7 +6447,7 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\n \t}\n \n \t/* Allocate one page for the FW log */\n-\twl-\u003efwlog = (u8 *)get_zeroed_page(GFP_KERNEL);\n+\twl-\u003efwlog = kzalloc(PAGE_SIZE, GFP_KERNEL);\n \tif (!wl-\u003efwlog) {\n \t\tret = -ENOMEM;\n \t\tgoto err_dummy_packet;\n@@ -6474,13 +6472,13 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\n \tkfree(wl-\u003embox);\n \n err_fwlog:\n-\tfree_page((unsigned long)wl-\u003efwlog);\n+\tkfree(wl-\u003efwlog);\n \n err_dummy_packet:\n \tdev_kfree_skb(wl-\u003edummy_packet);\n \n err_aggr:\n-\tfree_pages((unsigned long)wl-\u003eaggr_buf, order);\n+\tkfree(wl-\u003eaggr_buf);\n \n err_wq:\n \tdestroy_workqueue(wl-\u003efreezable_wq);\n@@ -6509,9 +6507,9 @@ int wlcore_free_hw(struct wl1271 *wl)\n \n \tkfree(wl-\u003ebuffer_32);\n \tkfree(wl-\u003embox);\n-\tfree_page((unsigned long)wl-\u003efwlog);\n+\tkfree(wl-\u003efwlog);\n \tdev_kfree_skb(wl-\u003edummy_packet);\n-\tfree_pages((unsigned long)wl-\u003eaggr_buf, get_order(wl-\u003eaggr_buf_size));\n+\tkfree(wl-\u003eaggr_buf);\n \n \twl1271_debugfs_exit(wl);\n \n"
}

2/1 2026/06/30 16:11 agent patch-evaluator
1m Model:
gemini-3.1-pro-preview

Args:
null

Results:
{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch performs a non-functional API replacement, switching from page allocator functions (e.g., get_zeroed_page, __get_free_pages) to slab allocator functions (kzalloc, kmalloc) across several network and wireless drivers. This does not alter the execution flow or core logic. Additionally, most of the modified drivers (bnx2x, ice, sfc, b43, wlcore) are for specific physical hardware (PCI/SDIO) that is not emulated in virtualized environments like QEMU, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

Instruction:
You are an expert Linux kernel maintainer.
Your job is to review a provided patch series and determine
if it makes functional changes to the kernel that should be fuzzed.

IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in
your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively
use your code access tools to examine the actual source code and confirm any assumptions.

Return WorthFuzzing=false if the patch only contains:
- Modifications to Documentation/, Kconfig files, or code comments.
- Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints.
- Changes to numeric constants or macros that do not functionally alter execution flow.
- Code paths that are impossible to reach in virtualized environments like GCE or QEMU,
even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim).

If it modifies reachable core kernel logic, drivers, or architectures, use your code search
tools to verify the code can be executed, then return WorthFuzzing=true.

When returning WorthFuzzing=true, you MUST ALSO:
1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols.
   Avoid listing generic hot-path functions to prevent skewed test distributions.
2. Identify any specific CONFIG_ options required to properly test this new/modified feature.
   Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions.
   Do not list too generic configs (we already have them enabled). Only list those that
   specifically cover the modified code. List them in the EnableConfigs output array,
   and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4").
Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

Prompt:
For your convenience, here is the diff of the changes:
commit fe3f37d03454092e2180b596cb2e7381390ab35c
Author: syz-cluster <triage@syzkaller.com>
Date:   Tue Jun 30 16:11:13 2026 +0000

    syz-cluster: applied patch under review

diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
index 07a908a2c72f25..d560524d317d98 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
@@ -26,6 +26,7 @@
 #include <linux/netdevice.h>
 #include <linux/etherdevice.h>
 #include <linux/crc32c.h>
+#include <linux/slab.h>
 #include "bnx2x.h"
 #include "bnx2x_cmn.h"
 #include "bnx2x_sp.h"
@@ -2664,7 +2665,7 @@ static void bnx2x_free_groups(struct list_head *mcast_group_list)
 				      struct bnx2x_mcast_elem_group,
 				      mcast_group_link);
 		list_del(&current_mcast_group->mcast_group_link);
-		free_page((unsigned long)current_mcast_group);
+		kfree(current_mcast_group);
 	}
 }
 
@@ -2713,8 +2714,7 @@ static int bnx2x_mcast_enqueue_cmd(struct bnx2x *bp,
 				total_elems = BNX2X_MCAST_BINS_NUM;
 		}
 		while (total_elems > 0) {
-			elem_group = (struct bnx2x_mcast_elem_group *)
-				     __get_free_page(GFP_ATOMIC | __GFP_ZERO);
+			elem_group = kzalloc(PAGE_SIZE, GFP_ATOMIC);
 			if (!elem_group) {
 				bnx2x_free_groups(&new_cmd->group_head);
 				kfree(new_cmd);
diff --git a/drivers/net/ethernet/intel/ice/ice_gnss.c b/drivers/net/ethernet/intel/ice/ice_gnss.c
index 8fd954f1ebd675..7d21c3417b0b27 100644
--- a/drivers/net/ethernet/intel/ice/ice_gnss.c
+++ b/drivers/net/ethernet/intel/ice/ice_gnss.c
@@ -2,6 +2,7 @@
 /* Copyright (C) 2021-2022, Intel Corporation. */
 
 #include "ice.h"
+#include <linux/slab.h>
 #include "ice_lib.h"
 
 /**
@@ -124,7 +125,7 @@ static void ice_gnss_read(struct kthread_work *work)
 
 	data_len = min_t(typeof(data_len), data_len, PAGE_SIZE);
 
-	buf = (char *)get_zeroed_page(GFP_KERNEL);
+	buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf) {
 		err = -ENOMEM;
 		goto requeue;
@@ -151,7 +152,7 @@ static void ice_gnss_read(struct kthread_work *work)
 			 count, i);
 	delay = ICE_GNSS_TIMER_DELAY_TIME;
 free_buf:
-	free_page((unsigned long)buf);
+	kfree(buf);
 requeue:
 	kthread_queue_delayed_work(gnss->kworker, &gnss->read_work, delay);
 	if (err)
diff --git a/drivers/net/ethernet/sfc/mcdi.c b/drivers/net/ethernet/sfc/mcdi.c
index e65db9b707244a..b806d3d90c42e6 100644
--- a/drivers/net/ethernet/sfc/mcdi.c
+++ b/drivers/net/ethernet/sfc/mcdi.c
@@ -7,6 +7,7 @@
 #include <linux/delay.h>
 #include <linux/moduleparam.h>
 #include <linux/atomic.h>
+#include <linux/slab.h>
 #include "net_driver.h"
 #include "nic.h"
 #include "io.h"
@@ -71,7 +72,7 @@ int efx_mcdi_init(struct efx_nic *efx)
 	mcdi->efx = efx;
 #ifdef CONFIG_SFC_MCDI_LOGGING
 	/* consuming code assumes buffer is page-sized */
-	mcdi->logging_buffer = (char *)__get_free_page(GFP_KERNEL);
+	mcdi->logging_buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!mcdi->logging_buffer)
 		goto fail1;
 	mcdi->logging_enabled = mcdi_logging_default;
@@ -112,7 +113,7 @@ int efx_mcdi_init(struct efx_nic *efx)
 	return 0;
 fail2:
 #ifdef CONFIG_SFC_MCDI_LOGGING
-	free_page((unsigned long)mcdi->logging_buffer);
+	kfree(mcdi->logging_buffer);
 fail1:
 #endif
 	kfree(efx->mcdi);
@@ -138,7 +139,7 @@ void efx_mcdi_fini(struct efx_nic *efx)
 		return;
 
 #ifdef CONFIG_SFC_MCDI_LOGGING
-	free_page((unsigned long)efx->mcdi->iface.logging_buffer);
+	kfree(efx->mcdi->iface.logging_buffer);
 #endif
 
 	kfree(efx->mcdi);
diff --git a/drivers/net/ethernet/sfc/siena/mcdi.c b/drivers/net/ethernet/sfc/siena/mcdi.c
index 4d0d6bd5d3d116..048c1e6017c0a5 100644
--- a/drivers/net/ethernet/sfc/siena/mcdi.c
+++ b/drivers/net/ethernet/sfc/siena/mcdi.c
@@ -7,6 +7,7 @@
 #include <linux/delay.h>
 #include <linux/moduleparam.h>
 #include <linux/atomic.h>
+#include <linux/slab.h>
 #include "net_driver.h"
 #include "nic.h"
 #include "io.h"
@@ -73,7 +74,7 @@ int efx_siena_mcdi_init(struct efx_nic *efx)
 	mcdi->efx = efx;
 #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING
 	/* consuming code assumes buffer is page-sized */
-	mcdi->logging_buffer = (char *)__get_free_page(GFP_KERNEL);
+	mcdi->logging_buffer = kmalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!mcdi->logging_buffer)
 		goto fail1;
 	mcdi->logging_enabled = efx_siena_mcdi_logging_default;
@@ -116,7 +117,7 @@ int efx_siena_mcdi_init(struct efx_nic *efx)
 	return 0;
 fail2:
 #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING
-	free_page((unsigned long)mcdi->logging_buffer);
+	kfree(mcdi->logging_buffer);
 fail1:
 #endif
 	kfree(efx->mcdi);
@@ -142,7 +143,7 @@ void efx_siena_mcdi_fini(struct efx_nic *efx)
 		return;
 
 #ifdef CONFIG_SFC_SIENA_MCDI_LOGGING
-	free_page((unsigned long)efx->mcdi->iface.logging_buffer);
+	kfree(efx->mcdi->iface.logging_buffer);
 #endif
 
 	kfree(efx->mcdi);
diff --git a/drivers/net/wireless/broadcom/b43/debugfs.c b/drivers/net/wireless/broadcom/b43/debugfs.c
index acddae68947aa4..31a1ff00c1a459 100644
--- a/drivers/net/wireless/broadcom/b43/debugfs.c
+++ b/drivers/net/wireless/broadcom/b43/debugfs.c
@@ -495,7 +495,6 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,
 	ssize_t ret;
 	char *buf;
 	const size_t bufsize = 1024 * 16; /* 16 kiB buffer */
-	const size_t buforder = get_order(bufsize);
 	int err = 0;
 
 	if (!count)
@@ -518,15 +517,14 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,
 	dfile = fops_to_dfs_file(dev, dfops);
 
 	if (!dfile->buffer) {
-		buf = (char *)__get_free_pages(GFP_KERNEL, buforder);
+		buf = kzalloc(bufsize, GFP_KERNEL);
 		if (!buf) {
 			err = -ENOMEM;
 			goto out_unlock;
 		}
-		memset(buf, 0, bufsize);
 		ret = dfops->read(dev, buf, bufsize);
 		if (ret <= 0) {
-			free_pages((unsigned long)buf, buforder);
+			kfree(buf);
 			err = ret;
 			goto out_unlock;
 		}
@@ -538,7 +536,7 @@ static ssize_t b43_debugfs_read(struct file *file, char __user *userbuf,
 				      dfile->buffer,
 				      dfile->data_len);
 	if (*ppos >= dfile->data_len) {
-		free_pages((unsigned long)dfile->buffer, buforder);
+		kfree(dfile->buffer);
 		dfile->buffer = NULL;
 		dfile->data_len = 0;
 	}
@@ -577,7 +575,7 @@ static ssize_t b43_debugfs_write(struct file *file,
 		goto out_unlock;
 	}
 
-	buf = (char *)get_zeroed_page(GFP_KERNEL);
+	buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf) {
 		err = -ENOMEM;
 		goto out_unlock;
@@ -591,7 +589,7 @@ static ssize_t b43_debugfs_write(struct file *file,
 		goto out_freepage;
 
 out_freepage:
-	free_page((unsigned long)buf);
+	kfree(buf);
 out_unlock:
 	mutex_unlock(&dev->wl->mutex);
 
diff --git a/drivers/net/wireless/broadcom/b43legacy/debugfs.c b/drivers/net/wireless/broadcom/b43legacy/debugfs.c
index 3ad99124d52279..42cce5e0402d5c 100644
--- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c
+++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c
@@ -192,7 +192,6 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,
 	ssize_t ret;
 	char *buf;
 	const size_t bufsize = 1024 * 16; /* 16 KiB buffer */
-	const size_t buforder = get_order(bufsize);
 	int err = 0;
 
 	if (!count)
@@ -215,7 +214,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,
 	dfile = fops_to_dfs_file(dev, dfops);
 
 	if (!dfile->buffer) {
-		buf = (char *)__get_free_pages(GFP_KERNEL, buforder);
+		buf = kmalloc(bufsize, GFP_KERNEL);
 		if (!buf) {
 			err = -ENOMEM;
 			goto out_unlock;
@@ -228,7 +227,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,
 		} else
 			ret = dfops->read(dev, buf, bufsize);
 		if (ret <= 0) {
-			free_pages((unsigned long)buf, buforder);
+			kfree(buf);
 			err = ret;
 			goto out_unlock;
 		}
@@ -240,7 +239,7 @@ static ssize_t b43legacy_debugfs_read(struct file *file, char __user *userbuf,
 				      dfile->buffer,
 				      dfile->data_len);
 	if (*ppos >= dfile->data_len) {
-		free_pages((unsigned long)dfile->buffer, buforder);
+		kfree(dfile->buffer);
 		dfile->buffer = NULL;
 		dfile->data_len = 0;
 	}
@@ -279,7 +278,7 @@ static ssize_t b43legacy_debugfs_write(struct file *file,
 		goto out_unlock;
 	}
 
-	buf = (char *)get_zeroed_page(GFP_KERNEL);
+	buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf) {
 		err = -ENOMEM;
 		goto out_unlock;
@@ -298,7 +297,7 @@ static ssize_t b43legacy_debugfs_write(struct file *file,
 		goto out_freepage;
 
 out_freepage:
-	free_page((unsigned long)buf);
+	kfree(buf);
 out_unlock:
 	mutex_unlock(&dev->wl->mutex);
 
diff --git a/drivers/net/wireless/marvell/libertas/debugfs.c b/drivers/net/wireless/marvell/libertas/debugfs.c
index 9ebd691349400f..9428f954837a10 100644
--- a/drivers/net/wireless/marvell/libertas/debugfs.c
+++ b/drivers/net/wireless/marvell/libertas/debugfs.c
@@ -35,8 +35,7 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,
 {
 	struct lbs_private *priv = file->private_data;
 	size_t pos = 0;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	ssize_t res;
 	if (!buf)
 		return -ENOMEM;
@@ -48,7 +47,7 @@ static ssize_t lbs_dev_info(struct file *file, char __user *userbuf,
 
 	res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 
-	free_page(addr);
+	kfree(buf);
 	return res;
 }
 
@@ -96,8 +95,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,
 	ssize_t ret;
 	size_t pos = 0;
 	struct sleep_params sp;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
@@ -113,7 +111,7 @@ static ssize_t lbs_sleepparams_read(struct file *file, char __user *userbuf,
 	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 
 out_unlock:
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -165,8 +163,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,
 	struct lbs_private *priv = file->private_data;
 	ssize_t ret;
 	size_t pos = 0;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
@@ -174,7 +171,7 @@ static ssize_t lbs_host_sleep_read(struct file *file, char __user *userbuf,
 
 	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -228,7 +225,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,
 	u8 freq;
 	int events = 0;
 
-	buf = (char *)get_zeroed_page(GFP_KERNEL);
+	buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
@@ -261,7 +258,7 @@ static ssize_t lbs_threshold_read(uint16_t tlv_type, uint16_t event_mask,
 	kfree(subscribed);
 
  out_page:
-	free_page((unsigned long)buf);
+	kfree(buf);
 	return ret;
 }
 
@@ -436,8 +433,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,
 	struct lbs_private *priv = file->private_data;
 	ssize_t pos = 0;
 	int ret;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	u32 val = 0;
 
 	if (!buf)
@@ -450,7 +446,7 @@ static ssize_t lbs_rdmac_read(struct file *file, char __user *userbuf,
 				priv->mac_offset, val);
 		ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 	}
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -506,8 +502,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,
 	struct lbs_private *priv = file->private_data;
 	ssize_t pos = 0;
 	int ret;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	u32 val;
 
 	if (!buf)
@@ -520,7 +515,7 @@ static ssize_t lbs_rdbbp_read(struct file *file, char __user *userbuf,
 				priv->bbp_offset, val);
 		ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 	}
-	free_page(addr);
+	kfree(buf);
 
 	return ret;
 }
@@ -578,8 +573,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,
 	struct lbs_private *priv = file->private_data;
 	ssize_t pos = 0;
 	int ret;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	u32 val;
 
 	if (!buf)
@@ -592,7 +586,7 @@ static ssize_t lbs_rdrf_read(struct file *file, char __user *userbuf,
 				priv->rf_offset, val);
 		ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
 	}
-	free_page(addr);
+	kfree(buf);
 
 	return ret;
 }
@@ -812,8 +806,7 @@ static ssize_t lbs_debugfs_read(struct file *file, char __user *userbuf,
 	char *p;
 	int i;
 	struct debug_data *d;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!buf)
 		return -ENOMEM;
 
@@ -836,7 +829,7 @@ static ssize_t lbs_debugfs_read(struct file *file, char __user *userbuf,
 
 	res = simple_read_from_buffer(userbuf, count, ppos, p, pos);
 
-	free_page(addr);
+	kfree(buf);
 	return res;
 }
 
diff --git a/drivers/net/wireless/marvell/mwifiex/debugfs.c b/drivers/net/wireless/marvell/mwifiex/debugfs.c
index 9deaf59dcb625e..573768b6ad9125 100644
--- a/drivers/net/wireless/marvell/mwifiex/debugfs.c
+++ b/drivers/net/wireless/marvell/mwifiex/debugfs.c
@@ -6,6 +6,7 @@
  */
 
 #include <linux/debugfs.h>
+#include <linux/slab.h>
 
 #include "main.h"
 #include "11n.h"
@@ -67,8 +68,8 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
 	struct net_device *netdev = priv->netdev;
 	struct netdev_hw_addr *ha;
 	struct netdev_queue *txq;
-	unsigned long page = get_zeroed_page(GFP_KERNEL);
-	char *p = (char *) page, fmt[64];
+	char *page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+	char *p = page, fmt[64];
 	struct mwifiex_bss_info info;
 	ssize_t ret;
 	int i = 0;
@@ -133,11 +134,10 @@ mwifiex_info_read(struct file *file, char __user *ubuf,
 	}
 	p += sprintf(p, "\n");
 
-	ret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,
-				      (unsigned long) p - page);
+	ret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);
 
 free_and_exit:
-	free_page(page);
+	kfree(page);
 	return ret;
 }
 
@@ -168,8 +168,8 @@ mwifiex_getlog_read(struct file *file, char __user *ubuf,
 {
 	struct mwifiex_private *priv =
 		(struct mwifiex_private *) file->private_data;
-	unsigned long page = get_zeroed_page(GFP_KERNEL);
-	char *p = (char *) page;
+	char *page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+	char *p = page;
 	ssize_t ret;
 	struct mwifiex_ds_get_stats stats;
 
@@ -220,11 +220,10 @@ mwifiex_getlog_read(struct file *file, char __user *ubuf,
 		     stats.bcn_miss_cnt);
 
 
-	ret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,
-				      (unsigned long) p - page);
+	ret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);
 
 free_and_exit:
-	free_page(page);
+	kfree(page);
 	return ret;
 }
 
@@ -247,8 +246,8 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,
 	ssize_t ret;
 	struct mwifiex_histogram_data *phist_data;
 	int i, value;
-	unsigned long page = get_zeroed_page(GFP_KERNEL);
-	char *p = (char *)page;
+	char *page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+	char *p = page;
 
 	if (!p)
 		return -ENOMEM;
@@ -309,11 +308,10 @@ mwifiex_histogram_read(struct file *file, char __user *ubuf,
 				i, value);
 	}
 
-	ret = simple_read_from_buffer(ubuf, count, ppos, (char *)page,
-				      (unsigned long)p - page);
+	ret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);
 
 free_and_exit:
-	free_page(page);
+	kfree(page);
 	return ret;
 }
 
@@ -383,8 +381,8 @@ mwifiex_debug_read(struct file *file, char __user *ubuf,
 {
 	struct mwifiex_private *priv =
 		(struct mwifiex_private *) file->private_data;
-	unsigned long page = get_zeroed_page(GFP_KERNEL);
-	char *p = (char *) page;
+	char *page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+	char *p = page;
 	ssize_t ret;
 
 	if (!p)
@@ -396,11 +394,10 @@ mwifiex_debug_read(struct file *file, char __user *ubuf,
 
 	p += mwifiex_debug_info_to_buffer(priv, p, &info);
 
-	ret = simple_read_from_buffer(ubuf, count, ppos, (char *) page,
-				      (unsigned long) p - page);
+	ret = simple_read_from_buffer(ubuf, count, ppos, page, p - page);
 
 free_and_exit:
-	free_page(page);
+	kfree(page);
 	return ret;
 }
 
@@ -457,8 +454,7 @@ mwifiex_regrdwr_read(struct file *file, char __user *ubuf,
 {
 	struct mwifiex_private *priv =
 		(struct mwifiex_private *) file->private_data;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *) addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	int pos = 0, ret = 0;
 	u32 reg_value;
 
@@ -497,7 +493,7 @@ mwifiex_regrdwr_read(struct file *file, char __user *ubuf,
 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
 
 done:
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -511,8 +507,7 @@ mwifiex_debug_mask_read(struct file *file, char __user *ubuf,
 {
 	struct mwifiex_private *priv =
 		(struct mwifiex_private *)file->private_data;
-	unsigned long page = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)page;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	size_t ret = 0;
 	int pos = 0;
 
@@ -523,7 +518,7 @@ mwifiex_debug_mask_read(struct file *file, char __user *ubuf,
 			priv->adapter->debug_mask);
 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
 
-	free_page(page);
+	kfree(buf);
 	return ret;
 }
 
@@ -652,8 +647,7 @@ mwifiex_memrw_read(struct file *file, char __user *ubuf,
 		   size_t count, loff_t *ppos)
 {
 	struct mwifiex_private *priv = (void *)file->private_data;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	int ret, pos = 0;
 
 	if (!buf)
@@ -663,7 +657,7 @@ mwifiex_memrw_read(struct file *file, char __user *ubuf,
 			priv->mem_rw.value);
 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
 
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -719,8 +713,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
 {
 	struct mwifiex_private *priv =
 		(struct mwifiex_private *) file->private_data;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *) addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	int pos, ret, i;
 	u8 value[MAX_EEPROM_DATA];
 
@@ -749,7 +742,7 @@ mwifiex_rdeeprom_read(struct file *file, char __user *ubuf,
 done:
 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
 out_free:
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
@@ -820,8 +813,7 @@ mwifiex_hscfg_read(struct file *file, char __user *ubuf,
 		   size_t count, loff_t *ppos)
 {
 	struct mwifiex_private *priv = (void *)file->private_data;
-	unsigned long addr = get_zeroed_page(GFP_KERNEL);
-	char *buf = (char *)addr;
+	char *buf = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	int pos, ret;
 	struct mwifiex_ds_hs_cfg hscfg;
 
@@ -836,7 +828,7 @@ mwifiex_hscfg_read(struct file *file, char __user *ubuf,
 
 	ret = simple_read_from_buffer(ubuf, count, ppos, buf, pos);
 
-	free_page(addr);
+	kfree(buf);
 	return ret;
 }
 
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index be583ae331c03b..5595f7a1fc0c36 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -6354,7 +6354,6 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,
 	struct ieee80211_hw *hw;
 	struct wl1271 *wl;
 	int i, j, ret;
-	unsigned int order;
 
 	hw = ieee80211_alloc_hw(sizeof(*wl), &wl1271_ops);
 	if (!hw) {
@@ -6434,8 +6433,7 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,
 	mutex_init(&wl->flush_mutex);
 	init_completion(&wl->nvs_loading_complete);
 
-	order = get_order(aggr_buf_size);
-	wl->aggr_buf = (u8 *)__get_free_pages(GFP_KERNEL, order);
+	wl->aggr_buf = kmalloc(round_up(aggr_buf_size, PAGE_SIZE), GFP_KERNEL);
 	if (!wl->aggr_buf) {
 		ret = -ENOMEM;
 		goto err_wq;
@@ -6449,7 +6447,7 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,
 	}
 
 	/* Allocate one page for the FW log */
-	wl->fwlog = (u8 *)get_zeroed_page(GFP_KERNEL);
+	wl->fwlog = kzalloc(PAGE_SIZE, GFP_KERNEL);
 	if (!wl->fwlog) {
 		ret = -ENOMEM;
 		goto err_dummy_packet;
@@ -6474,13 +6472,13 @@ struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,
 	kfree(wl->mbox);
 
 err_fwlog:
-	free_page((unsigned long)wl->fwlog);
+	kfree(wl->fwlog);
 
 err_dummy_packet:
 	dev_kfree_skb(wl->dummy_packet);
 
 err_aggr:
-	free_pages((unsigned long)wl->aggr_buf, order);
+	kfree(wl->aggr_buf);
 
 err_wq:
 	destroy_workqueue(wl->freezable_wq);
@@ -6509,9 +6507,9 @@ int wlcore_free_hw(struct wl1271 *wl)
 
 	kfree(wl->buffer_32);
 	kfree(wl->mbox);
-	free_page((unsigned long)wl->fwlog);
+	kfree(wl->fwlog);
 	dev_kfree_skb(wl->dummy_packet);
-	free_pages((unsigned long)wl->aggr_buf, get_order(wl->aggr_buf_size));
+	kfree(wl->aggr_buf);
 
 	wl1271_debugfs_exit(wl);
 

3/2 2026/06/30 16:11 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 10932
							output: 19
							thoughts: 1864
						

Thoughts:
**Fuzzing Decision for Memory Allocation API Replacement**

Okay, so I've got this patch in front of me that's making a bunch of changes in network drivers.  It's swapping out these old-school page allocator functions like `__get_free_page`, `get_zeroed_page`, etc., and replacing them with `kmalloc`, `kzalloc`, and `kfree`.  My initial thought is, "Hmm, this seems like mostly a refactoring or cleanup." It's an allocation API change, not a new feature.

But hold on, could this *actually* be something worth fuzzing? I need to think this through. While it's just a memory allocation API change on the face of it, there *could* be subtle differences in how the memory is aligned or handled under the hood. For example, are there alignment guarantees? `kmalloc` with `PAGE_SIZE` should be page-aligned, I think. Is there a functional change? It's replacing one allocator with another. Is there potential for bugs? Could there be a mismatch in size, or flags that get handled differently?

Let's dive deeper. Are there any functions in particular that look like high-risk areas? Okay, let's see. I've got a list here: `bnx2x_mcast_enqueue_cmd`, `ice_gnss_read`, `efx_mcdi_init`, `b43_debugfs_read`, `lbs_dev_info`, `mwifiex_info_read`, and `wlcore_alloc_hw`.

Alright, I see this `wlcore_alloc_hw` example. The patch is changing how `aggr_buf` is allocated. The original code was using `__get_free_pages`, and now it's using `kmalloc`. This is a functional change because if `aggr_buf_size` is large, it might fail. But wait, `KMALLOC_MAX_SIZE` is usually small. So it might fail.

Okay, let's keep going. Is this "worth fuzzing"? The prompt gives some criteria: pure decorations, unreachable code paths, etc. The changes are memory allocation API, it *might* introduce bugs (wrong size, wrong flags).

Next, I need to figure out if these drivers are even reachable in a typical fuzzing environment, like QEMU. Looks like `bnx2x`, `ice`, and `sfc` are PCI devices. Those are unlikely to be emulated without some specialized setup. But the wireless drivers like `b43`, `libertas`, `mwifiex`, and `wlcore`, those are interesting. Specifically, `mwifiex` and `libertas` have USB drivers, and USB devices can be fuzzing with vhci, which syzkaller uses. The problem is that the modifications in `mwifiex` and `libertas` are in `debugfs.c`. Debugfs is reachable if the device is probed. Does this constitute core logic?

Is it worth fuzzing this patch that replaces `get_zeroed_page` with `kzalloc(PAGE_SIZE)`? The changes are trivial, and there isn't really core logic. But the change is functional, because it changes from page allocator to slab allocator.

Okay, if `kzalloc` is DMA-able, then it is perfectly fine. The code logic doesn't change really. But is `mwifiex` debugfs reachable? Okay, let me use `grepper`.



4/2 2026/06/30 16:11 tool grepper
0m Args:
{
  "Expression": "mwifiex_usb"
}

Results:
{
  "Output": "drivers/net/wireless/marvell/mwifiex/Kconfig=37=config MWIFIEX_USB\n--\ndrivers/net/wireless/marvell/mwifiex/Kconfig-45-\t  If you choose to build it as a module, it will be called\ndrivers/net/wireless/marvell/mwifiex/Kconfig:46:\t  mwifiex_usb.\n--\ndrivers/net/wireless/marvell/mwifiex/Makefile=42=obj-$(CONFIG_MWIFIEX_PCIE) += mwifiex_pcie.o\ndrivers/net/wireless/marvell/mwifiex/Makefile-43-\ndrivers/net/wireless/marvell/mwifiex/Makefile:44:mwifiex_usb-y += usb.o\ndrivers/net/wireless/marvell/mwifiex/Makefile:45:obj-$(CONFIG_MWIFIEX_USB) += mwifiex_usb.o\ndrivers/net/wireless/marvell/mwifiex/Makefile-46-\n--\ndrivers/net/wireless/marvell/mwifiex/fw.h=90=enum KEY_TYPE_ID {\n--\ndrivers/net/wireless/marvell/mwifiex/fw.h-122-\ndrivers/net/wireless/marvell/mwifiex/fw.h:123:enum mwifiex_usb_ep {\ndrivers/net/wireless/marvell/mwifiex/fw.h-124-\tMWIFIEX_USB_EP_CMD_EVENT = 1,\n--\ndrivers/net/wireless/marvell/mwifiex/main.h=55=enum {\n--\ndrivers/net/wireless/marvell/mwifiex/main.h-123- * Do not check for data_received for USB, as data_received\ndrivers/net/wireless/marvell/mwifiex/main.h:124: * is handled in mwifiex_usb_recv for USB\ndrivers/net/wireless/marvell/mwifiex/main.h-125- */\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=13=static const struct mwifiex_if_ops usb_ops;\ndrivers/net/wireless/marvell/mwifiex/usb.c-14-\ndrivers/net/wireless/marvell/mwifiex/usb.c:15:static const struct usb_device_id mwifiex_usb_table[] = {\ndrivers/net/wireless/marvell/mwifiex/usb.c-16-\t/* 8766 */\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-38-\ndrivers/net/wireless/marvell/mwifiex/usb.c:39:MODULE_DEVICE_TABLE(usb, mwifiex_usb_table);\ndrivers/net/wireless/marvell/mwifiex/usb.c-40-\ndrivers/net/wireless/marvell/mwifiex/usb.c:41:static int mwifiex_usb_submit_rx_urb(struct urb_context *ctx, int size);\ndrivers/net/wireless/marvell/mwifiex/usb.c-42-\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-45- */\ndrivers/net/wireless/marvell/mwifiex/usb.c:46:static int mwifiex_usb_recv(struct mwifiex_adapter *adapter,\ndrivers/net/wireless/marvell/mwifiex/usb.c-47-\t\t\t    struct sk_buff *skb, u8 ep)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-151-\ndrivers/net/wireless/marvell/mwifiex/usb.c:152:static void mwifiex_usb_rx_complete(struct urb *urb)\ndrivers/net/wireless/marvell/mwifiex/usb.c-153-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-186-\ndrivers/net/wireless/marvell/mwifiex/usb.c:187:\t\tstatus = mwifiex_usb_recv(adapter, skb, context-\u003eep);\ndrivers/net/wireless/marvell/mwifiex/usb.c-188-\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-196-\t\t\t * urb for cmd_ep will be re-submitted in callback\ndrivers/net/wireless/marvell/mwifiex/usb.c:197:\t\t\t * mwifiex_usb_recv_complete\ndrivers/net/wireless/marvell/mwifiex/usb.c-198-\t\t\t */\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-232-\tif (card-\u003erx_cmd_ep == context-\u003eep) {\ndrivers/net/wireless/marvell/mwifiex/usb.c:233:\t\tmwifiex_usb_submit_rx_urb(context, size);\ndrivers/net/wireless/marvell/mwifiex/usb.c-234-\t} else {\ndrivers/net/wireless/marvell/mwifiex/usb.c-235-\t\tif (atomic_read(\u0026adapter-\u003erx_pending) \u003c= HIGH_RX_PENDING) {\ndrivers/net/wireless/marvell/mwifiex/usb.c:236:\t\t\tmwifiex_usb_submit_rx_urb(context, size);\ndrivers/net/wireless/marvell/mwifiex/usb.c-237-\t\t} else {\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-244-\ndrivers/net/wireless/marvell/mwifiex/usb.c:245:static void mwifiex_usb_tx_complete(struct urb *urb)\ndrivers/net/wireless/marvell/mwifiex/usb.c-246-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-284-\ndrivers/net/wireless/marvell/mwifiex/usb.c:285:static int mwifiex_usb_submit_rx_urb(struct urb_context *ctx, int size)\ndrivers/net/wireless/marvell/mwifiex/usb.c-286-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-315-\t\t\t\t usb_rcvintpipe(card-\u003eudev, ctx-\u003eep),\ndrivers/net/wireless/marvell/mwifiex/usb.c:316:\t\t\t\t ctx-\u003eskb-\u003edata, size, mwifiex_usb_rx_complete,\ndrivers/net/wireless/marvell/mwifiex/usb.c-317-\t\t\t\t (void *)ctx, card-\u003erx_cmd_interval);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-320-\t\t\t\t  usb_rcvbulkpipe(card-\u003eudev, ctx-\u003eep),\ndrivers/net/wireless/marvell/mwifiex/usb.c:321:\t\t\t\t  ctx-\u003eskb-\u003edata, size, mwifiex_usb_rx_complete,\ndrivers/net/wireless/marvell/mwifiex/usb.c-322-\t\t\t\t  (void *)ctx);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-344-\ndrivers/net/wireless/marvell/mwifiex/usb.c:345:static void mwifiex_usb_free(struct usb_card_rec *card)\ndrivers/net/wireless/marvell/mwifiex/usb.c-346-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-384- */\ndrivers/net/wireless/marvell/mwifiex/usb.c:385:static int mwifiex_usb_probe(struct usb_interface *intf,\ndrivers/net/wireless/marvell/mwifiex/usb.c-386-\t\t\t     const struct usb_device_id *id)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-532- */\ndrivers/net/wireless/marvell/mwifiex/usb.c:533:static int mwifiex_usb_suspend(struct usb_interface *intf, pm_message_t message)\ndrivers/net/wireless/marvell/mwifiex/usb.c-534-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-599- */\ndrivers/net/wireless/marvell/mwifiex/usb.c:600:static int mwifiex_usb_resume(struct usb_interface *intf)\ndrivers/net/wireless/marvell/mwifiex/usb.c-601-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-625-\t\tfor (i = 0; i \u003c MWIFIEX_RX_DATA_URB; i++)\ndrivers/net/wireless/marvell/mwifiex/usb.c:626:\t\t\tmwifiex_usb_submit_rx_urb(\u0026card-\u003erx_data_list[i],\ndrivers/net/wireless/marvell/mwifiex/usb.c-627-\t\t\t\t\t\t  MWIFIEX_RX_DATA_BUF_SIZE);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-631-\t\tif (card-\u003erx_cmd.skb)\ndrivers/net/wireless/marvell/mwifiex/usb.c:632:\t\t\tmwifiex_usb_submit_rx_urb(\u0026card-\u003erx_cmd,\ndrivers/net/wireless/marvell/mwifiex/usb.c-633-\t\t\t\t\t\t  MWIFIEX_RX_CMD_BUF_SIZE);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-644-\ndrivers/net/wireless/marvell/mwifiex/usb.c:645:static void mwifiex_usb_disconnect(struct usb_interface *intf)\ndrivers/net/wireless/marvell/mwifiex/usb.c-646-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-668-\ndrivers/net/wireless/marvell/mwifiex/usb.c:669:static void mwifiex_usb_coredump(struct device *dev)\ndrivers/net/wireless/marvell/mwifiex/usb.c-670-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-677-\ndrivers/net/wireless/marvell/mwifiex/usb.c:678:static struct usb_driver mwifiex_usb_driver = {\ndrivers/net/wireless/marvell/mwifiex/usb.c:679:\t.name = \"mwifiex_usb\",\ndrivers/net/wireless/marvell/mwifiex/usb.c:680:\t.probe = mwifiex_usb_probe,\ndrivers/net/wireless/marvell/mwifiex/usb.c:681:\t.disconnect = mwifiex_usb_disconnect,\ndrivers/net/wireless/marvell/mwifiex/usb.c:682:\t.id_table = mwifiex_usb_table,\ndrivers/net/wireless/marvell/mwifiex/usb.c:683:\t.suspend = mwifiex_usb_suspend,\ndrivers/net/wireless/marvell/mwifiex/usb.c:684:\t.resume = mwifiex_usb_resume,\ndrivers/net/wireless/marvell/mwifiex/usb.c-685-\t.soft_unbind = 1,\ndrivers/net/wireless/marvell/mwifiex/usb.c-686-\t.driver = {\ndrivers/net/wireless/marvell/mwifiex/usb.c:687:\t\t.coredump = mwifiex_usb_coredump,\ndrivers/net/wireless/marvell/mwifiex/usb.c-688-\t},\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=714=static int mwifiex_read_data_sync(struct mwifiex_adapter *adapter, u8 *pbuf,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-733-\ndrivers/net/wireless/marvell/mwifiex/usb.c:734:static void mwifiex_usb_port_resync(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-735-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-775-\ndrivers/net/wireless/marvell/mwifiex/usb.c:776:static bool mwifiex_usb_is_port_ready(struct mwifiex_private *priv)\ndrivers/net/wireless/marvell/mwifiex/usb.c-777-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-788-\ndrivers/net/wireless/marvell/mwifiex/usb.c:789:static inline u8 mwifiex_usb_data_sent(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-790-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-800-\ndrivers/net/wireless/marvell/mwifiex/usb.c:801:static int mwifiex_usb_construct_send_urb(struct mwifiex_adapter *adapter,\ndrivers/net/wireless/marvell/mwifiex/usb.c-802-\t\t\t\t\t  struct usb_tx_data_port *port, u8 ep,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-818-\t\t\t\t usb_sndintpipe(card-\u003eudev, ep), skb_send-\u003edata,\ndrivers/net/wireless/marvell/mwifiex/usb.c:819:\t\t\t\t skb_send-\u003elen, mwifiex_usb_tx_complete,\ndrivers/net/wireless/marvell/mwifiex/usb.c-820-\t\t\t\t (void *)context, card-\u003etx_cmd_interval);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-824-\t\t\t\t  skb_send-\u003edata, skb_send-\u003elen,\ndrivers/net/wireless/marvell/mwifiex/usb.c:825:\t\t\t\t  mwifiex_usb_tx_complete, (void *)context);\ndrivers/net/wireless/marvell/mwifiex/usb.c-826-\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-837-\t\tport-\u003eblock_status = true;\ndrivers/net/wireless/marvell/mwifiex/usb.c:838:\t\tadapter-\u003edata_sent = mwifiex_usb_data_sent(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-839-\t\tret = -ENOSR;\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-861-\ndrivers/net/wireless/marvell/mwifiex/usb.c:862:static int mwifiex_usb_prepare_tx_aggr_skb(struct mwifiex_adapter *adapter,\ndrivers/net/wireless/marvell/mwifiex/usb.c-863-\t\t\t\t\t   struct usb_tx_data_port *port,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-946- */\ndrivers/net/wireless/marvell/mwifiex/usb.c:947:static int mwifiex_usb_aggr_tx_data(struct mwifiex_adapter *adapter, u8 ep,\ndrivers/net/wireless/marvell/mwifiex/usb.c-948-\t\t\t\t    struct sk_buff *skb,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1062-\tif (f_send_aggr_buf) {\ndrivers/net/wireless/marvell/mwifiex/usb.c:1063:\t\tret = mwifiex_usb_prepare_tx_aggr_skb(adapter, port, \u0026skb_send);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1064-\t\tif (!ret) {\ndrivers/net/wireless/marvell/mwifiex/usb.c-1065-\t\t\tcontext = \u0026port-\u003etx_data_list[port-\u003etx_data_ix++];\ndrivers/net/wireless/marvell/mwifiex/usb.c:1066:\t\t\tret = mwifiex_usb_construct_send_urb(adapter, port, ep,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1067-\t\t\t\t\t\t\t     context, skb_send);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1079-\t\t\t\tadapter-\u003edata_sent =\ndrivers/net/wireless/marvell/mwifiex/usb.c:1080:\t\t\t\t\tmwifiex_usb_data_sent(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1081-\t\t\t\t/* no available urb, postcopy packet*/\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1095-\t\tcontext = \u0026port-\u003etx_data_list[port-\u003etx_data_ix++];\ndrivers/net/wireless/marvell/mwifiex/usb.c:1096:\t\treturn mwifiex_usb_construct_send_urb(adapter, port, ep,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1097-\t\t\t\t\t\t      context, skb_send);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1118-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1119:static void mwifiex_usb_tx_aggr_tmo(struct timer_list *t)\ndrivers/net/wireless/marvell/mwifiex/usb.c-1120-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1129-\tspin_lock_bh(\u0026port-\u003etx_aggr_lock);\ndrivers/net/wireless/marvell/mwifiex/usb.c:1130:\terr = mwifiex_usb_prepare_tx_aggr_skb(adapter, port, \u0026skb_send);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1131-\tif (err) {\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1140-\t\tadapter-\u003edata_sent =\ndrivers/net/wireless/marvell/mwifiex/usb.c:1141:\t\t\tmwifiex_usb_data_sent(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1142-\t\terr = -1;\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1149-\turb_cnxt = \u0026port-\u003etx_data_list[port-\u003etx_data_ix++];\ndrivers/net/wireless/marvell/mwifiex/usb.c:1150:\terr = mwifiex_usb_construct_send_urb(adapter, port, port-\u003etx_data_ep,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1151-\t\t\t\t\t     urb_cnxt, skb_send);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1159-/* This function write a command/data packet to card. */\ndrivers/net/wireless/marvell/mwifiex/usb.c:1160:static int mwifiex_usb_host_to_card(struct mwifiex_adapter *adapter, u8 ep,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1161-\t\t\t\t    struct sk_buff *skb,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1192-\t\t\t\t\tadapter-\u003edata_sent =\ndrivers/net/wireless/marvell/mwifiex/usb.c:1193:\t\t\t\t\t\tmwifiex_usb_data_sent(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1194-\t\t\t\t\treturn -EBUSY;\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1208-\t\t\tspin_lock_bh(\u0026port-\u003etx_aggr_lock);\ndrivers/net/wireless/marvell/mwifiex/usb.c:1209:\t\t\tret =  mwifiex_usb_aggr_tx_data(adapter, ep, skb,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1210-\t\t\t\t\t\t\ttx_param, port);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1217-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1218:\treturn mwifiex_usb_construct_send_urb(adapter, port, ep, context, skb);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1219-}\ndrivers/net/wireless/marvell/mwifiex/usb.c-1220-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1221:static int mwifiex_usb_tx_init(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-1222-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1257-\t\ttimer_setup(\u0026port-\u003etx_aggr.timer_cnxt.hold_timer,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1258:\t\t\t    mwifiex_usb_tx_aggr_tmo, 0);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1259-\t}\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1263-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1264:static int mwifiex_usb_rx_init(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-1265-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1279-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1280:\tif (mwifiex_usb_submit_rx_urb(\u0026card-\u003erx_cmd, MWIFIEX_RX_CMD_BUF_SIZE))\ndrivers/net/wireless/marvell/mwifiex/usb.c-1281-\t\treturn -1;\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1289-\t\t\treturn -1;\ndrivers/net/wireless/marvell/mwifiex/usb.c:1290:\t\tif (mwifiex_usb_submit_rx_urb(\u0026card-\u003erx_data_list[i],\ndrivers/net/wireless/marvell/mwifiex/usb.c-1291-\t\t\t\t\t      MWIFIEX_RX_DATA_BUF_SIZE))\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1299=static int mwifiex_register_dev(struct mwifiex_adapter *adapter)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1337-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1338:static void mwifiex_usb_cleanup_tx_aggr(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-1339-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1359=static void mwifiex_unregister_dev(struct mwifiex_adapter *adapter)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1362-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1363:\tmwifiex_usb_free(card);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1364-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1365:\tmwifiex_usb_cleanup_tx_aggr(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1366-\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1370=static int mwifiex_prog_fw_w_helper(struct mwifiex_adapter *adapter,\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1506-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1507:static int mwifiex_usb_dnld_fw(struct mwifiex_adapter *adapter,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1508-\t\t\tstruct mwifiex_fw_image *fw)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1522-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1523:\tret = mwifiex_usb_rx_init(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1524-\tif (!ret)\ndrivers/net/wireless/marvell/mwifiex/usb.c:1525:\t\tret = mwifiex_usb_tx_init(adapter);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1526-\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1530=static void mwifiex_submit_rx_urb(struct mwifiex_adapter *adapter, u8 ep)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1536-\t    (!atomic_read(\u0026card-\u003erx_cmd_urb_pending)))\ndrivers/net/wireless/marvell/mwifiex/usb.c:1537:\t\tmwifiex_usb_submit_rx_urb(\u0026card-\u003erx_cmd,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1538-\t\t\t\t\t  MWIFIEX_RX_CMD_BUF_SIZE);\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1542-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1543:static int mwifiex_usb_cmd_event_complete(struct mwifiex_adapter *adapter,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1544-\t\t\t\t       struct sk_buff *skb)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1552=static int mwifiex_pm_wakeup_card(struct mwifiex_adapter *adapter)\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1562-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1563:static void mwifiex_usb_submit_rem_rx_urbs(struct mwifiex_adapter *adapter)\ndrivers/net/wireless/marvell/mwifiex/usb.c-1564-{\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1572-\t\tctx = \u0026card-\u003erx_data_list[i];\ndrivers/net/wireless/marvell/mwifiex/usb.c:1573:\t\tmwifiex_usb_submit_rx_urb(ctx, MWIFIEX_RX_DATA_BUF_SIZE);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1574-\t}\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c=1584=static const struct mwifiex_if_ops usb_ops = {\n--\ndrivers/net/wireless/marvell/mwifiex/usb.c-1590-\t/* USB specific */\ndrivers/net/wireless/marvell/mwifiex/usb.c:1591:\t.dnld_fw =\t\tmwifiex_usb_dnld_fw,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1592:\t.cmdrsp_complete =\tmwifiex_usb_cmd_event_complete,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1593:\t.event_complete =\tmwifiex_usb_cmd_event_complete,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1594:\t.host_to_card =\t\tmwifiex_usb_host_to_card,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1595:\t.submit_rem_rx_urbs =\tmwifiex_usb_submit_rem_rx_urbs,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1596:\t.multi_port_resync =\tmwifiex_usb_port_resync,\ndrivers/net/wireless/marvell/mwifiex/usb.c:1597:\t.is_port_ready =\tmwifiex_usb_is_port_ready,\ndrivers/net/wireless/marvell/mwifiex/usb.c-1598-};\ndrivers/net/wireless/marvell/mwifiex/usb.c-1599-\ndrivers/net/wireless/marvell/mwifiex/usb.c:1600:module_usb_driver(mwifiex_usb_driver);\ndrivers/net/wireless/marvell/mwifiex/usb.c-1601-\n"
}

5/2 2026/06/30 16:11 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 20967
							output: 20
							thoughts: 520
						

Thoughts:
**Analyzing a Minor Kernel Change**

Okay, so I'm looking at this `mwifiex_usb` module, and the interesting bit is in `mwifiex/debugfs.c`. It seems like the only change is switching from `get_zeroed_page` to `kzalloc(PAGE_SIZE)`. My initial thought is, "Is this even worth fuzzing?" The prompt is clear: changes that are purely decorative or don't affect execution flow should be marked as not worth fuzzing.

My immediate reaction is that this seems like a purely cosmetic change, swapping one memory allocator for another. `get_zeroed_page` and `kzalloc` both ultimately allocate a page of memory using `GFP_KERNEL` and they allocate 1 page. But wait...

Hmm, I have to consider: Does `kzalloc` failing differ from `get_zeroed_page` failing? No, as they both use `GFP_KERNEL` so this seems unlikely. But what is `PAGE_SIZE`? Right, `kzalloc(PAGE_SIZE)` calls `kmalloc-4k` or `kmalloc-8k`. `get_zeroed_page` allocates directly from the page allocator, so maybe there's some subtle difference here. Is there a functional change that requires fuzzing? I need to analyze this further.

The next question: Was this change made to fix a bug? I don't have the commit message, which would be ideal. I could check `grepper` or `read-file` to get the commit message. Wait, those won't work, because the commit message is not in the source files. I can't use `grepper` to run `git log -1` either, because `grepper` is really just `git grep`.

To get a better understanding, I have to think about `wlcore_alloc_hw` to compare it to a similar change. In `wlcore_alloc_hw`, they've replaced this:

```c
-	order = get_order(aggr_buf_size);
-	wl->aggr_buf = (u8 *)__get_free_pages(GFP_KERNEL, order);
+	wl->aggr_buf = kmalloc(round_up(aggr_buf_size, PAGE_SIZE), GFP_KERNEL);
```
So, if `aggr_buf_size` is large, `kmalloc` can fail if it's > `KMALLOC_MAX_SIZE`. If that applies to the `mwifiex` change, then the difference is significant. I need to determine what `aggr_buf_size` is in the other code. I should check the callers of `wlcore_alloc_hw` to see how it's used.

Let's focus on the `mwifiex` change again. The allocator is changed, so there's a chance there's a difference.

I need to understand if the change is related to performance, stability, or is just pure refactoring.



6/2 2026/06/30 16:11 tool grepper
0m Args:
{
  "Expression": "wlcore_alloc_hw"
}

Results:
{
  "Output": "drivers/net/wireless/ti/wl12xx/main.c=1892=static int wl12xx_probe(struct platform_device *pdev)\n--\ndrivers/net/wireless/ti/wl12xx/main.c-1897-\ndrivers/net/wireless/ti/wl12xx/main.c:1898:\thw = wlcore_alloc_hw(sizeof(struct wl12xx_priv),\ndrivers/net/wireless/ti/wl12xx/main.c-1899-\t\t\t     WL12XX_AGGR_BUFFER_SIZE,\n--\ndrivers/net/wireless/ti/wl18xx/main.c=2062=static int wl18xx_probe(struct platform_device *pdev)\n--\ndrivers/net/wireless/ti/wl18xx/main.c-2067-\ndrivers/net/wireless/ti/wl18xx/main.c:2068:\thw = wlcore_alloc_hw(sizeof(struct wl18xx_priv),\ndrivers/net/wireless/ti/wl18xx/main.c-2069-\t\t\t     WL18XX_AGGR_BUFFER_SIZE,\n--\ndrivers/net/wireless/ti/wlcore/main.c=6209=static int wl1271_init_ieee80211(struct wl1271 *wl)\n--\ndrivers/net/wireless/ti/wlcore/main.c-6350-\ndrivers/net/wireless/ti/wlcore/main.c:6351:struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\ndrivers/net/wireless/ti/wlcore/main.c-6352-\t\t\t\t     u32 mbox_size)\n--\ndrivers/net/wireless/ti/wlcore/main.c-6496-}\ndrivers/net/wireless/ti/wlcore/main.c:6497:EXPORT_SYMBOL_GPL(wlcore_alloc_hw);\ndrivers/net/wireless/ti/wlcore/main.c-6498-\n--\ndrivers/net/wireless/ti/wlcore/wlcore.h=500=void wlcore_remove(struct platform_device *pdev);\ndrivers/net/wireless/ti/wlcore/wlcore.h:501:struct ieee80211_hw *wlcore_alloc_hw(size_t priv_size, u32 aggr_buf_size,\ndrivers/net/wireless/ti/wlcore/wlcore.h-502-\t\t\t\t     u32 mbox_size);\n"
}

7/2 2026/06/30 16:11 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 22826
							output: 37
							thoughts: 31
						

Thoughts:
Okay, here's my take on those thoughts, tailored for an expert audience:

**Analyzing Aggregation Buffer Sizes**

Alright, let's dive right in. My initial thought process is focusing on the aggregation buffer sizes, specifically, `WL12XX_AGGR_BUFFER_SIZE` and `WL18XX_AGGR_BUFFER_SIZE`.  I immediately want to check these parameters, and I'm probably thinking about a specific scenario or issue I'm debugging. Am I looking at a performance bottleneck? Are we seeing packet loss that might correlate with these buffer settings? Perhaps I'm benchmarking different hardware versions (WL12XX vs WL18XX) and want to compare optimal settings. Knowing these buffer sizes is fundamental to understanding how the MAC layer handles aggregation and, in turn, impacts throughput and latency, especially in environments with high traffic density.  I need to figure out what values are currently configured and then think through what impact increasing or decreasing might have. Essentially, this is the starting point for digging deeper into a potential wireless performance problem.



8/2 2026/06/30 16:11 tool grepper
0m Args:
{
  "Expression": "WL12XX_AGGR_BUFFER_SIZE|WL18XX_AGGR_BUFFER_SIZE"
}

Results:
{
  "Output": "drivers/net/wireless/ti/wl12xx/main.c=1892=static int wl12xx_probe(struct platform_device *pdev)\n--\ndrivers/net/wireless/ti/wl12xx/main.c-1898-\thw = wlcore_alloc_hw(sizeof(struct wl12xx_priv),\ndrivers/net/wireless/ti/wl12xx/main.c:1899:\t\t\t     WL12XX_AGGR_BUFFER_SIZE,\ndrivers/net/wireless/ti/wl12xx/main.c-1900-\t\t\t     sizeof(struct wl12xx_event_mailbox));\n--\ndrivers/net/wireless/ti/wl12xx/wl12xx.h-44-\ndrivers/net/wireless/ti/wl12xx/wl12xx.h:45:#define WL12XX_AGGR_BUFFER_SIZE\t(4 * PAGE_SIZE)\ndrivers/net/wireless/ti/wl12xx/wl12xx.h-46-\n--\ndrivers/net/wireless/ti/wl18xx/main.c=2062=static int wl18xx_probe(struct platform_device *pdev)\n--\ndrivers/net/wireless/ti/wl18xx/main.c-2068-\thw = wlcore_alloc_hw(sizeof(struct wl18xx_priv),\ndrivers/net/wireless/ti/wl18xx/main.c:2069:\t\t\t     WL18XX_AGGR_BUFFER_SIZE,\ndrivers/net/wireless/ti/wl18xx/main.c-2070-\t\t\t     sizeof(struct wl18xx_event_mailbox));\n--\ndrivers/net/wireless/ti/wl18xx/wl18xx.h-21-\ndrivers/net/wireless/ti/wl18xx/wl18xx.h:22:#define WL18XX_AGGR_BUFFER_SIZE\t\t(13 * PAGE_SIZE)\ndrivers/net/wireless/ti/wl18xx/wl18xx.h-23-\n"
}

9/2 2026/06/30 16:11 llm patch-evaluator
0m Model:
gemini-3.1-pro-preview

Args:
null

Results:
null

Tokens:
							input: 23637
							output: 153
							thoughts: 1601
						

Thoughts:
**Analysis of Memory Allocation API Replacement Patch**

Okay, let's break this down. First, I see a pattern here: `WL18XX_AGGR_BUFFER_SIZE` is calculated to be 53248 bytes, and that's well within the limits of `kmalloc-64k`, which means the allocation sizes themselves aren't an issue. Then, I see the switch from `__get_free_pages` to `kzalloc` in `b43_debugfs_read` and `b43legacy_debugfs_read`. The allocated buffer size is 16 KiB, perfectly manageable with either function. The same switch happens in `bnx2x_mcast_enqueue_cmd`, with an allocation size of a single page, again perfectly fine. The code is replacing `__get_free_page` with `kzalloc`.

The core question is whether this is worth fuzzing. The prompt defines several reasons *not* to fuzz. The crucial criteria here is whether this change "functionally alter[s] execution flow." My immediate thought is no, this is *just* a different memory allocation mechanism. It's a refactoring to use a slab cache instead of the page allocator. While the memory layout might be slightly different, the driver logic itself remains the same. But I need to be thorough.

Many of these drivers are likely hardware-specific. I start running through the drivers: `bnx2x`, `ice`, and `sfc` are PCI devices. QEMU doesn't emulate these directly. `b43` and `b43legacy` are PCI/SSB devices, so also not reachable. `libertas` has a USB driver, but it relies on specific firmware and hardware behavior. `mwifiex` also has a USB driver, the same issues. `wlcore` is SDIO/SPI. That's also not emulated in QEMU.

I check QEMU's network device list just to be sure, and confirm none of the drivers are directly supported. I know Syzkaller can fuzz USB devices, so `libertas` and `mwifiex` are potentially reachable via USB emulation using `dummy_hcd`. Debugfs files are created by `mwifiex_dev_debugfs_init`, called from `mwifiex_add_card` which gets called from `mwifiex_usb_probe`, which *could* work. The potential fuzzing entrypoint is `debugfs.c`.

Okay, but the patch is *still* just replacing one memory allocation API with another. Does it functionally alter execution flow? No. It's not introducing any new logic. The changes are simply memory allocation API replacements, going from the page allocator to the slab allocator. This is a purely mechanical change.

I'm confident returning `WorthFuzzing=false`. The reasoning is that the patch primarily substitutes memory allocation functions (page allocator to slab allocator) across drivers for hardware, and this is a non-functional API replacement that doesn't affect the drivers' execution flow or logic. Moreover, most drivers (bnx2x, ice, sfc, b43, wlcore) are for physical hardware (PCI/SDIO) that's not emulated in virtualized environments like QEMU, so the code paths are unreachable. This aligns perfectly with the prompt's criteria: "Changes to numeric constants or macros that do not functionally alter execution flow" and "Code paths that are impossible to reach in virtualized environments."



10/2 2026/06/30 16:12 tool set-results
0m Args:
{
  "EnableConfigs": [],
  "FocusSymbols": [],
  "Reasoning": "The patch performs a non-functional API replacement, switching from page allocator functions (e.g., get_zeroed_page, __get_free_pages) to slab allocator functions (kzalloc, kmalloc) across several network and wireless drivers. This does not alter the execution flow or core logic. Additionally, most of the modified drivers (bnx2x, ice, sfc, b43, wlcore) are for specific physical hardware (PCI/SDIO) that is not emulated in virtualized environments like QEMU, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

Results:
{
  "EnableConfigs": null,
  "FocusSymbols": [],
  "Reasoning": "The patch performs a non-functional API replacement, switching from page allocator functions (e.g., get_zeroed_page, __get_free_pages) to slab allocator functions (kzalloc, kmalloc) across several network and wireless drivers. This does not alter the execution flow or core logic. Additionally, most of the modified drivers (bnx2x, ice, sfc, b43, wlcore) are for specific physical hardware (PCI/SDIO) that is not emulated in virtualized environments like QEMU, making these code paths unreachable during fuzzing.",
  "WorthFuzzing": false
}

LLM Calls Summary:
Total Calls Total Tokens Avg Tokens Total Duration (Seconds) Avg Duration (Seconds)
Tool Calls Summary:
Total Calls Total Duration (Seconds) Avg Duration (Seconds)