| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/07/03 16:22 | flow | patch-triage |
5mArgs:null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 PCIe/AHB devices. The modified code paths (mac80211 callbacks and WMI event handlers) require a successful device probe and firmware boot sequence (MHI, QMI, WMI) to be reachable. Since there is no software emulation for this hardware in virtualized environments like QEMU or GCE, these code paths are impossible to reach and fuzz.",
"WorthFuzzing": false
} |
| 1/1 | 2026/07/03 16:22 | action | read-patch-diff |
0mArgs:null Results: {
"PatchDiff": "commit 519932f150dc631555ebf04b34dffde19a3d4c05\nAuthor: syz-cluster \u003ctriage@syzkaller.com\u003e\nDate: Fri Jul 3 16:22:12 2026 +0000\n\n syz-cluster: applied patch under review\n\ndiff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h\nindex 8be435535a4e8b..6ce2f7b3fa5012 100644\n--- a/drivers/net/wireless/ath/ath12k/core.h\n+++ b/drivers/net/wireless/ath/ath12k/core.h\n@@ -712,7 +712,6 @@ struct ath12k {\n \t * avoid reporting garbage data.\n \t */\n \tbool ch_info_can_report_survey;\n-\tstruct survey_info survey[ATH12K_NUM_CHANS];\n \tstruct completion bss_survey_done;\n \n \tstruct work_struct regd_update_work;\n@@ -774,6 +773,11 @@ struct ath12k_hw {\n \t */\n \tstruct mutex hw_mutex;\n \tenum ath12k_hw_state state;\n+\n+\t/* protects survey[] shared across radios of this hw. */\n+\tspinlock_t survey_lock;\n+\tstruct survey_info survey[ATH12K_NUM_CHANS];\n+\n \tbool regd_updated;\n \tbool use_6ghz_regd;\n \ndiff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c\nindex 2cff9485c95afb..daf9bc8722dfba 100644\n--- a/drivers/net/wireless/ath/ath12k/mac.c\n+++ b/drivers/net/wireless/ath/ath12k/mac.c\n@@ -13348,52 +13348,54 @@ ath12k_mac_update_bss_chan_survey(struct ath12k *ar,\n int ath12k_mac_op_get_survey(struct ieee80211_hw *hw, int idx,\n \t\t\t struct survey_info *survey)\n {\n+\tstruct ath12k_hw *ah = hw-\u003epriv;\n \tstruct ath12k *ar;\n \tstruct ieee80211_supported_band *sband;\n-\tstruct survey_info *ar_survey;\n+\tstruct survey_info *ah_survey;\n+\tint sband_idx = idx;\n \n \tlockdep_assert_wiphy(hw-\u003ewiphy);\n \n-\tif (idx \u003e= ATH12K_NUM_CHANS)\n+\tif (sband_idx \u003e= ATH12K_NUM_CHANS)\n \t\treturn -ENOENT;\n \n \tsband = hw-\u003ewiphy-\u003ebands[NL80211_BAND_2GHZ];\n-\tif (sband \u0026\u0026 idx \u003e= sband-\u003en_channels) {\n-\t\tidx -= sband-\u003en_channels;\n+\tif (sband \u0026\u0026 sband_idx \u003e= sband-\u003en_channels) {\n+\t\tsband_idx -= sband-\u003en_channels;\n \t\tsband = NULL;\n \t}\n \n \tif (!sband)\n \t\tsband = hw-\u003ewiphy-\u003ebands[NL80211_BAND_5GHZ];\n-\tif (sband \u0026\u0026 idx \u003e= sband-\u003en_channels) {\n-\t\tidx -= sband-\u003en_channels;\n+\tif (sband \u0026\u0026 sband_idx \u003e= sband-\u003en_channels) {\n+\t\tsband_idx -= sband-\u003en_channels;\n \t\tsband = NULL;\n \t}\n \n \tif (!sband)\n \t\tsband = hw-\u003ewiphy-\u003ebands[NL80211_BAND_6GHZ];\n \n-\tif (!sband || idx \u003e= sband-\u003en_channels)\n+\tif (!sband || sband_idx \u003e= sband-\u003en_channels)\n \t\treturn -ENOENT;\n \n-\tar = ath12k_mac_get_ar_by_chan(hw, \u0026sband-\u003echannels[idx]);\n+\tar = ath12k_mac_get_ar_by_chan(hw, \u0026sband-\u003echannels[sband_idx]);\n \tif (!ar) {\n-\t\tif (sband-\u003echannels[idx].flags \u0026 IEEE80211_CHAN_DISABLED) {\n+\t\tif (sband-\u003echannels[sband_idx].flags \u0026 IEEE80211_CHAN_DISABLED) {\n \t\t\tmemset(survey, 0, sizeof(*survey));\n \t\t\treturn 0;\n \t\t}\n \t\treturn -ENOENT;\n \t}\n \n-\tar_survey = \u0026ar-\u003esurvey[idx];\n+\tah_survey = \u0026ah-\u003esurvey[idx];\n \n-\tath12k_mac_update_bss_chan_survey(ar, \u0026sband-\u003echannels[idx]);\n+\tath12k_mac_update_bss_chan_survey(ar, \u0026sband-\u003echannels[sband_idx]);\n \n-\tspin_lock_bh(\u0026ar-\u003edata_lock);\n-\tmemcpy(survey, ar_survey, sizeof(*survey));\n-\tspin_unlock_bh(\u0026ar-\u003edata_lock);\n+\tscoped_guard(spinlock_bh, \u0026ah-\u003esurvey_lock) {\n+\t\tmemcpy(survey, ah_survey, sizeof(*survey));\n+\t}\n \n-\tsurvey-\u003echannel = \u0026sband-\u003echannels[idx];\n+\tsurvey-\u003echannel = \u0026sband-\u003echannels[sband_idx];\n \n \tif (ar-\u003erx_channel == survey-\u003echannel)\n \t\tsurvey-\u003efilled |= SURVEY_INFO_IN_USE;\n@@ -15055,6 +15057,7 @@ static struct ath12k_hw *ath12k_mac_hw_allocate(struct ath12k_hw_group *ag,\n \n \tmutex_init(\u0026ah-\u003ehw_mutex);\n \n+\tspin_lock_init(\u0026ah-\u003esurvey_lock);\n \tspin_lock_init(\u0026ah-\u003edp_hw.peer_lock);\n \tINIT_LIST_HEAD(\u0026ah-\u003edp_hw.dp_peers_list);\n \ndiff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c\nindex b5e904a55aeabb..3f3730a6c2ac27 100644\n--- a/drivers/net/wireless/ath/ath12k/wmi.c\n+++ b/drivers/net/wireless/ath/ath12k/wmi.c\n@@ -6617,16 +6617,12 @@ static int ath12k_pull_roam_ev(struct ath12k_base *ab, struct sk_buff *skb,\n \treturn 0;\n }\n \n-static int freq_to_idx(struct ath12k *ar, int freq)\n+static int freq_to_idx(struct ieee80211_hw *hw, int freq)\n {\n \tstruct ieee80211_supported_band *sband;\n-\tstruct ieee80211_hw *hw = ath12k_ar_to_hw(ar);\n \tint band, ch, idx = 0;\n \n \tfor (band = NL80211_BAND_2GHZ; band \u003c NUM_NL80211_BANDS; band++) {\n-\t\tif (!ar-\u003emac.sbands[band].channels)\n-\t\t\tcontinue;\n-\n \t\tsband = hw-\u003ewiphy-\u003ebands[band];\n \t\tif (!sband)\n \t\t\tcontinue;\n@@ -7507,6 +7503,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n {\n \tstruct wmi_chan_info_event ch_info_ev = {};\n \tstruct ath12k *ar;\n+\tstruct ath12k_hw *ah;\n \tstruct survey_info *survey;\n \tint idx;\n \t/* HW channel counters frequency value in hertz */\n@@ -7538,6 +7535,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n \t\treturn;\n \t}\n \tspin_lock_bh(\u0026ar-\u003edata_lock);\n+\tah = ath12k_ar_to_ah(ar);\n \n \tswitch (ar-\u003escan.state) {\n \tcase ATH12K_SCAN_IDLE:\n@@ -7549,8 +7547,8 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n \t\tbreak;\n \t}\n \n-\tidx = freq_to_idx(ar, le32_to_cpu(ch_info_ev.freq));\n-\tif (idx \u003e= ARRAY_SIZE(ar-\u003esurvey)) {\n+\tidx = freq_to_idx(ath12k_ar_to_hw(ar), le32_to_cpu(ch_info_ev.freq));\n+\tif (idx \u003e= ARRAY_SIZE(ah-\u003esurvey)) {\n \t\tath12k_warn(ab, \"chan info: invalid frequency %d (idx %d out of bounds)\\n\",\n \t\t\t ch_info_ev.freq, idx);\n \t\tgoto exit;\n@@ -7563,14 +7561,16 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n \t\tcc_freq_hz = (le32_to_cpu(ch_info_ev.mac_clk_mhz) * 1000);\n \n \tif (ch_info_ev.cmd_flags == WMI_CHAN_INFO_START_RESP) {\n-\t\tsurvey = \u0026ar-\u003esurvey[idx];\n-\t\tmemset(survey, 0, sizeof(*survey));\n-\t\tsurvey-\u003enoise = le32_to_cpu(ch_info_ev.noise_floor);\n-\t\tsurvey-\u003efilled = SURVEY_INFO_NOISE_DBM | SURVEY_INFO_TIME |\n+\t\tscoped_guard(spinlock_bh, \u0026ah-\u003esurvey_lock) {\n+\t\t\tsurvey = \u0026ah-\u003esurvey[idx];\n+\t\t\tmemset(survey, 0, sizeof(*survey));\n+\t\t\tsurvey-\u003enoise = le32_to_cpu(ch_info_ev.noise_floor);\n+\t\t\tsurvey-\u003efilled = SURVEY_INFO_NOISE_DBM | SURVEY_INFO_TIME |\n \t\t\t\t SURVEY_INFO_TIME_BUSY;\n-\t\tsurvey-\u003etime = div_u64(le32_to_cpu(ch_info_ev.cycle_count), cc_freq_hz);\n-\t\tsurvey-\u003etime_busy = div_u64(le32_to_cpu(ch_info_ev.rx_clear_count),\n-\t\t\t\t\t cc_freq_hz);\n+\t\t\tsurvey-\u003etime = div_u64(le32_to_cpu(ch_info_ev.cycle_count), cc_freq_hz);\n+\t\t\tsurvey-\u003etime_busy = div_u64(le32_to_cpu(ch_info_ev.rx_clear_count),\n+\t\t\t\t\t\t cc_freq_hz);\n+\t\t}\n \t}\n exit:\n \tspin_unlock_bh(\u0026ar-\u003edata_lock);\n@@ -7583,6 +7583,7 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n \tstruct wmi_pdev_bss_chan_info_event bss_ch_info_ev = {};\n \tstruct survey_info *survey;\n \tstruct ath12k *ar;\n+\tstruct ath12k_hw *ah;\n \tu32 cc_freq_hz = ab-\u003ecc_freq_hz;\n \tu64 busy, total, tx, rx, rx_bss;\n \tint idx;\n@@ -7623,28 +7624,31 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)\n \t\treturn;\n \t}\n \n-\tspin_lock_bh(\u0026ar-\u003edata_lock);\n-\tidx = freq_to_idx(ar, le32_to_cpu(bss_ch_info_ev.freq));\n-\tif (idx \u003e= ARRAY_SIZE(ar-\u003esurvey)) {\n+\tah = ath12k_ar_to_ah(ar);\n+\n+\tidx = freq_to_idx(ath12k_ar_to_hw(ar), le32_to_cpu(bss_ch_info_ev.freq));\n+\tif (idx \u003e= ARRAY_SIZE(ah-\u003esurvey)) {\n \t\tath12k_warn(ab, \"bss chan info: invalid frequency %d (idx %d out of bounds)\\n\",\n \t\t\t bss_ch_info_ev.freq, idx);\n \t\tgoto exit;\n \t}\n \n-\tsurvey = \u0026ar-\u003esurvey[idx];\n+\tscoped_guard(spinlock_bh, \u0026ah-\u003esurvey_lock) {\n+\t\tsurvey = \u0026ah-\u003esurvey[idx];\n+\n+\t\tsurvey-\u003enoise = le32_to_cpu(bss_ch_info_ev.noise_floor);\n+\t\tsurvey-\u003etime = div_u64(total, cc_freq_hz);\n+\t\tsurvey-\u003etime_busy = div_u64(busy, cc_freq_hz);\n+\t\tsurvey-\u003etime_rx = div_u64(rx_bss, cc_freq_hz);\n+\t\tsurvey-\u003etime_tx = div_u64(tx, cc_freq_hz);\n+\t\tsurvey-\u003efilled |= (SURVEY_INFO_NOISE_DBM |\n+\t\t\t\t SURVEY_INFO_TIME |\n+\t\t\t\t SURVEY_INFO_TIME_BUSY |\n+\t\t\t\t SURVEY_INFO_TIME_RX |\n+\t\t\t\t SURVEY_INFO_TIME_TX);\n+\t}\n \n-\tsurvey-\u003enoise = le32_to_cpu(bss_ch_info_ev.noise_floor);\n-\tsurvey-\u003etime = div_u64(total, cc_freq_hz);\n-\tsurvey-\u003etime_busy = div_u64(busy, cc_freq_hz);\n-\tsurvey-\u003etime_rx = div_u64(rx_bss, cc_freq_hz);\n-\tsurvey-\u003etime_tx = div_u64(tx, cc_freq_hz);\n-\tsurvey-\u003efilled |= (SURVEY_INFO_NOISE_DBM |\n-\t\t\t SURVEY_INFO_TIME |\n-\t\t\t SURVEY_INFO_TIME_BUSY |\n-\t\t\t SURVEY_INFO_TIME_RX |\n-\t\t\t SURVEY_INFO_TIME_TX);\n exit:\n-\tspin_unlock_bh(\u0026ar-\u003edata_lock);\n \tcomplete(\u0026ar-\u003ebss_survey_done);\n \n \trcu_read_unlock();\n"
} |
| 2/1 | 2026/07/03 16:22 | agent | patch-evaluator |
5mModel:gemini-3.1-pro-preview Args: null Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 PCIe/AHB devices. The modified code paths (mac80211 callbacks and WMI event handlers) require a successful device probe and firmware boot sequence (MHI, QMI, WMI) to be reachable. Since there is no software emulation for this hardware in virtualized environments like QEMU or GCE, these code paths are impossible to reach and fuzz.",
"WorthFuzzing": false
}Instruction: You are an expert Linux kernel maintainer. Your job is to review a provided patch series and determine if it makes functional changes to the kernel that should be fuzzed. IMPORTANT: The changes have ALREADY been applied and committed as the HEAD commit in your workspace. Do NOT rely on your internal knowledge of the kernel. You must actively use your code access tools to examine the actual source code and confirm any assumptions. Return WorthFuzzing=false if the patch only contains: - Modifications to Documentation/, Kconfig files, or code comments. - Purely decorative changes, such as logging (e.g., pr_err, printk) or tracepoints. - Changes to numeric constants or macros that do not functionally alter execution flow. - Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim). If it modifies reachable core kernel logic, drivers, or architectures, use your code search tools to verify the code can be executed, then return WorthFuzzing=true. When returning WorthFuzzing=true, you MUST ALSO: 1. Extract any specific kernel functions that should be heavily fuzzed into FocusSymbols. Avoid listing generic hot-path functions to prevent skewed test distributions. 2. Identify any specific CONFIG_ options required to properly test this new/modified feature. Go and look into the Kconfig files and check for ifdefs around the code, do not make assumptions. Do not list too generic configs (we already have them enabled). Only list those that specifically cover the modified code. List them in the EnableConfigs output array, and DO NOT add a 'CONFIG_' prefix (e.g., return "NET_IPV4" instead of "CONFIG_NET_IPV4"). Prefer calling several tools at the same time to save round-trips. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: For your convenience, here is the diff of the changes:
commit 519932f150dc631555ebf04b34dffde19a3d4c05
Author: syz-cluster <triage@syzkaller.com>
Date: Fri Jul 3 16:22:12 2026 +0000
syz-cluster: applied patch under review
diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
index 8be435535a4e8b..6ce2f7b3fa5012 100644
--- a/drivers/net/wireless/ath/ath12k/core.h
+++ b/drivers/net/wireless/ath/ath12k/core.h
@@ -712,7 +712,6 @@ struct ath12k {
* avoid reporting garbage data.
*/
bool ch_info_can_report_survey;
- struct survey_info survey[ATH12K_NUM_CHANS];
struct completion bss_survey_done;
struct work_struct regd_update_work;
@@ -774,6 +773,11 @@ struct ath12k_hw {
*/
struct mutex hw_mutex;
enum ath12k_hw_state state;
+
+ /* protects survey[] shared across radios of this hw. */
+ spinlock_t survey_lock;
+ struct survey_info survey[ATH12K_NUM_CHANS];
+
bool regd_updated;
bool use_6ghz_regd;
diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
index 2cff9485c95afb..daf9bc8722dfba 100644
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
@@ -13348,52 +13348,54 @@ ath12k_mac_update_bss_chan_survey(struct ath12k *ar,
int ath12k_mac_op_get_survey(struct ieee80211_hw *hw, int idx,
struct survey_info *survey)
{
+ struct ath12k_hw *ah = hw->priv;
struct ath12k *ar;
struct ieee80211_supported_band *sband;
- struct survey_info *ar_survey;
+ struct survey_info *ah_survey;
+ int sband_idx = idx;
lockdep_assert_wiphy(hw->wiphy);
- if (idx >= ATH12K_NUM_CHANS)
+ if (sband_idx >= ATH12K_NUM_CHANS)
return -ENOENT;
sband = hw->wiphy->bands[NL80211_BAND_2GHZ];
- if (sband && idx >= sband->n_channels) {
- idx -= sband->n_channels;
+ if (sband && sband_idx >= sband->n_channels) {
+ sband_idx -= sband->n_channels;
sband = NULL;
}
if (!sband)
sband = hw->wiphy->bands[NL80211_BAND_5GHZ];
- if (sband && idx >= sband->n_channels) {
- idx -= sband->n_channels;
+ if (sband && sband_idx >= sband->n_channels) {
+ sband_idx -= sband->n_channels;
sband = NULL;
}
if (!sband)
sband = hw->wiphy->bands[NL80211_BAND_6GHZ];
- if (!sband || idx >= sband->n_channels)
+ if (!sband || sband_idx >= sband->n_channels)
return -ENOENT;
- ar = ath12k_mac_get_ar_by_chan(hw, &sband->channels[idx]);
+ ar = ath12k_mac_get_ar_by_chan(hw, &sband->channels[sband_idx]);
if (!ar) {
- if (sband->channels[idx].flags & IEEE80211_CHAN_DISABLED) {
+ if (sband->channels[sband_idx].flags & IEEE80211_CHAN_DISABLED) {
memset(survey, 0, sizeof(*survey));
return 0;
}
return -ENOENT;
}
- ar_survey = &ar->survey[idx];
+ ah_survey = &ah->survey[idx];
- ath12k_mac_update_bss_chan_survey(ar, &sband->channels[idx]);
+ ath12k_mac_update_bss_chan_survey(ar, &sband->channels[sband_idx]);
- spin_lock_bh(&ar->data_lock);
- memcpy(survey, ar_survey, sizeof(*survey));
- spin_unlock_bh(&ar->data_lock);
+ scoped_guard(spinlock_bh, &ah->survey_lock) {
+ memcpy(survey, ah_survey, sizeof(*survey));
+ }
- survey->channel = &sband->channels[idx];
+ survey->channel = &sband->channels[sband_idx];
if (ar->rx_channel == survey->channel)
survey->filled |= SURVEY_INFO_IN_USE;
@@ -15055,6 +15057,7 @@ static struct ath12k_hw *ath12k_mac_hw_allocate(struct ath12k_hw_group *ag,
mutex_init(&ah->hw_mutex);
+ spin_lock_init(&ah->survey_lock);
spin_lock_init(&ah->dp_hw.peer_lock);
INIT_LIST_HEAD(&ah->dp_hw.dp_peers_list);
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index b5e904a55aeabb..3f3730a6c2ac27 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -6617,16 +6617,12 @@ static int ath12k_pull_roam_ev(struct ath12k_base *ab, struct sk_buff *skb,
return 0;
}
-static int freq_to_idx(struct ath12k *ar, int freq)
+static int freq_to_idx(struct ieee80211_hw *hw, int freq)
{
struct ieee80211_supported_band *sband;
- struct ieee80211_hw *hw = ath12k_ar_to_hw(ar);
int band, ch, idx = 0;
for (band = NL80211_BAND_2GHZ; band < NUM_NL80211_BANDS; band++) {
- if (!ar->mac.sbands[band].channels)
- continue;
-
sband = hw->wiphy->bands[band];
if (!sband)
continue;
@@ -7507,6 +7503,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
{
struct wmi_chan_info_event ch_info_ev = {};
struct ath12k *ar;
+ struct ath12k_hw *ah;
struct survey_info *survey;
int idx;
/* HW channel counters frequency value in hertz */
@@ -7538,6 +7535,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
return;
}
spin_lock_bh(&ar->data_lock);
+ ah = ath12k_ar_to_ah(ar);
switch (ar->scan.state) {
case ATH12K_SCAN_IDLE:
@@ -7549,8 +7547,8 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
break;
}
- idx = freq_to_idx(ar, le32_to_cpu(ch_info_ev.freq));
- if (idx >= ARRAY_SIZE(ar->survey)) {
+ idx = freq_to_idx(ath12k_ar_to_hw(ar), le32_to_cpu(ch_info_ev.freq));
+ if (idx >= ARRAY_SIZE(ah->survey)) {
ath12k_warn(ab, "chan info: invalid frequency %d (idx %d out of bounds)\n",
ch_info_ev.freq, idx);
goto exit;
@@ -7563,14 +7561,16 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
cc_freq_hz = (le32_to_cpu(ch_info_ev.mac_clk_mhz) * 1000);
if (ch_info_ev.cmd_flags == WMI_CHAN_INFO_START_RESP) {
- survey = &ar->survey[idx];
- memset(survey, 0, sizeof(*survey));
- survey->noise = le32_to_cpu(ch_info_ev.noise_floor);
- survey->filled = SURVEY_INFO_NOISE_DBM | SURVEY_INFO_TIME |
+ scoped_guard(spinlock_bh, &ah->survey_lock) {
+ survey = &ah->survey[idx];
+ memset(survey, 0, sizeof(*survey));
+ survey->noise = le32_to_cpu(ch_info_ev.noise_floor);
+ survey->filled = SURVEY_INFO_NOISE_DBM | SURVEY_INFO_TIME |
SURVEY_INFO_TIME_BUSY;
- survey->time = div_u64(le32_to_cpu(ch_info_ev.cycle_count), cc_freq_hz);
- survey->time_busy = div_u64(le32_to_cpu(ch_info_ev.rx_clear_count),
- cc_freq_hz);
+ survey->time = div_u64(le32_to_cpu(ch_info_ev.cycle_count), cc_freq_hz);
+ survey->time_busy = div_u64(le32_to_cpu(ch_info_ev.rx_clear_count),
+ cc_freq_hz);
+ }
}
exit:
spin_unlock_bh(&ar->data_lock);
@@ -7583,6 +7583,7 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
struct wmi_pdev_bss_chan_info_event bss_ch_info_ev = {};
struct survey_info *survey;
struct ath12k *ar;
+ struct ath12k_hw *ah;
u32 cc_freq_hz = ab->cc_freq_hz;
u64 busy, total, tx, rx, rx_bss;
int idx;
@@ -7623,28 +7624,31 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb)
return;
}
- spin_lock_bh(&ar->data_lock);
- idx = freq_to_idx(ar, le32_to_cpu(bss_ch_info_ev.freq));
- if (idx >= ARRAY_SIZE(ar->survey)) {
+ ah = ath12k_ar_to_ah(ar);
+
+ idx = freq_to_idx(ath12k_ar_to_hw(ar), le32_to_cpu(bss_ch_info_ev.freq));
+ if (idx >= ARRAY_SIZE(ah->survey)) {
ath12k_warn(ab, "bss chan info: invalid frequency %d (idx %d out of bounds)\n",
bss_ch_info_ev.freq, idx);
goto exit;
}
- survey = &ar->survey[idx];
+ scoped_guard(spinlock_bh, &ah->survey_lock) {
+ survey = &ah->survey[idx];
+
+ survey->noise = le32_to_cpu(bss_ch_info_ev.noise_floor);
+ survey->time = div_u64(total, cc_freq_hz);
+ survey->time_busy = div_u64(busy, cc_freq_hz);
+ survey->time_rx = div_u64(rx_bss, cc_freq_hz);
+ survey->time_tx = div_u64(tx, cc_freq_hz);
+ survey->filled |= (SURVEY_INFO_NOISE_DBM |
+ SURVEY_INFO_TIME |
+ SURVEY_INFO_TIME_BUSY |
+ SURVEY_INFO_TIME_RX |
+ SURVEY_INFO_TIME_TX);
+ }
- survey->noise = le32_to_cpu(bss_ch_info_ev.noise_floor);
- survey->time = div_u64(total, cc_freq_hz);
- survey->time_busy = div_u64(busy, cc_freq_hz);
- survey->time_rx = div_u64(rx_bss, cc_freq_hz);
- survey->time_tx = div_u64(tx, cc_freq_hz);
- survey->filled |= (SURVEY_INFO_NOISE_DBM |
- SURVEY_INFO_TIME |
- SURVEY_INFO_TIME_BUSY |
- SURVEY_INFO_TIME_RX |
- SURVEY_INFO_TIME_TX);
exit:
- spin_unlock_bh(&ar->data_lock);
complete(&ar->bss_survey_done);
rcu_read_unlock();
|
| 3/2 | 2026/07/03 16:22 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 5352 output: 40 thoughts: 466 Thoughts: **Reaching the Ath12k Survey Patch in a Virtualized Environment** Okay, so we've got this patch that re-organizes the `survey` array and its associated lock within the `ath12k` driver. It moves the data from the per-radio `ath12k` struct to the per-hardware `ath12k_hw` struct. This affects several functions: `ath12k_mac_op_get_survey`, `ath12k_mac_hw_allocate`, `ath12k_chan_info_event`, `ath12k_pdev_bss_chan_info_event`, and `freq_to_idx`. My immediate concern is whether this is even *testable* in a virtualized environment. This is the `ath12k` driver, which, as I recall, is for Qualcomm Wi-Fi 7 devices, specifically PCIe/AHB based. The question then becomes: can we emulate this? I don't believe there's any established QEMU emulation for `ath12k` itself. Sure, `mac80211_hwsim` exists, but that's a generic MAC80211 emulation, not specifically for a hardware driver. We're talking about a very specific piece of hardware. I can't think of any obvious software emulation route, no USB gadget tricks here since it's PCIe/AHB. But wait, there's syzkaller! It can fuzz PCI devices using vPCI, *if* supported. The usual caveats apply; most specific Wi-Fi drivers aren't typically fuzzed unless they're USB or virtio. Is `ath12k` a candidate for syzkaller fuzzing? I'd need to check if there are syzbot reports related to `ath12k`, though I can't check that immediately. But, I *do* know syzkaller has a PCI fuzzer, using things like `vhci` or `vfio`. However, the main prompt stipulates that we need to consider code paths unreachable in virtualized setups like GCE or QEMU, even with software emulation like `usb gadget` or `mac80211_hwsim`. Is `ath12k` realistically reachable given that constraint? I need to clarify if this driver can be tested. Time to double-check the `Kconfig` file in `drivers/net/wireless/ath/ath12k/Kconfig`. |
| 4/2 | 2026/07/03 16:22 | tool | grepper |
0mArgs:{
"Expression": "config ATH12K",
"PathPrefix": "drivers/net/wireless/ath/ath12k/Kconfig"
}Results: {
"Output": "drivers/net/wireless/ath/ath12k/Kconfig-1-# SPDX-License-Identifier: BSD-3-Clause-Clear\ndrivers/net/wireless/ath/ath12k/Kconfig:2:config ATH12K\ndrivers/net/wireless/ath/ath12k/Kconfig-3-\ttristate \"Qualcomm Technologies Wi-Fi 7 support (ath12k)\"\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-16-\ndrivers/net/wireless/ath/ath12k/Kconfig:17:config ATH12K_AHB\ndrivers/net/wireless/ath/ath12k/Kconfig-18-\tbool \"QTI ath12k AHB support\"\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-24-\ndrivers/net/wireless/ath/ath12k/Kconfig:25:config ATH12K_DEBUG\ndrivers/net/wireless/ath/ath12k/Kconfig-26-\tbool \"ath12k debugging\"\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-34-\ndrivers/net/wireless/ath/ath12k/Kconfig:35:config ATH12K_DEBUGFS\ndrivers/net/wireless/ath/ath12k/Kconfig-36-\tbool \"QTI ath12k debugfs support\"\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-43-\ndrivers/net/wireless/ath/ath12k/Kconfig:44:config ATH12K_TRACING\ndrivers/net/wireless/ath/ath12k/Kconfig-45-\tbool \"ath12k tracing support\"\n--\ndrivers/net/wireless/ath/ath12k/Kconfig-52-\ndrivers/net/wireless/ath/ath12k/Kconfig:53:config ATH12K_COREDUMP\ndrivers/net/wireless/ath/ath12k/Kconfig-54-\tbool \"ath12k coredump\"\n"
} |
| 5/2 | 2026/07/03 16:22 | llm | patch-evaluator |
4mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 6908 output: 34 thoughts: 455 Thoughts: **Analyzing the Fuzzability of the Qualcomm Wi-Fi 7 Driver** Okay, so I'm looking at this driver, specifically for Qualcomm's Wi-Fi 7 hardware. First, I need to know: is there any software emulation available for it? No. That's a huge hurdle. Can I fuzz it through PCI fuzzing then? Syzkaller does have PCI fuzzing capabilities, which is promising. But is it considered "impossible to reach in virtualized environments"? Usually, these hardware-specific drivers like ath11k, ath12k, or iwlwifi are tricky to fuzz unless there is an emulator or unless the PCI fuzzing is extremely effective. Syzkaller's PCI fuzzing works by injecting PCI config space and MMIO reads/writes. Wait, the code mentions `ath12k` which uses `mac80211`. The patch specifically modifies `ath12k_mac_op_get_survey`, which is a callback for `mac80211` (`get_survey`). It also modifies `ath12k_chan_info_event` and `ath12k_pdev_bss_chan_info_event`, which are WMI event handlers. Okay, WMI events come from the firmware, that's crucial. Since there is no firmware running in a virtualized environment, unless emulated, the firmware won't send those WMI events. Wait a minute, even if PCI fuzzing injects random data into MMIO, the driver expects a complex firmware boot sequence (QMI, MHI, WMI). It's highly unlikely to reach these WMI event handlers or even successfully register the mac80211 device without a real firmware or a good emulator. So, let's drill down specifically to `ath12k` and see if it's fuzzable in our current setup. The prompt says: "Return WorthFuzzing=false if the patch only contains: ... Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim)." Since `ath12k` relies on real hardware or a complex emulator that doesn't exist in QEMU or GCE, it's impossible to reach these code paths! That's it. Let me just double-check, though, maybe I'm missing something, is there any test mode or sim mode within `ath12k`? I should not assume, I will check. |
| 6/2 | 2026/07/03 16:27 | tool | grepper |
0mArgs:{
"Expression": "sim",
"PathPrefix": "drivers/net/wireless/ath/ath12k/"
}Results: {
"Output": "drivers/net/wireless/ath/ath12k/core.h=488=struct ath12k_link_sta {\n--\ndrivers/net/wireless/ath/ath12k/core.h-491-\ndrivers/net/wireless/ath/ath12k/core.h:492:\t/* link address similar to ieee80211_link_sta */\ndrivers/net/wireless/ath/ath12k/core.h-493-\tu8 addr[ETH_ALEN];\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-12-\ndrivers/net/wireless/ath/ath12k/debugfs.c:13:static ssize_t ath12k_write_simulate_radar(struct file *file,\ndrivers/net/wireless/ath/ath12k/debugfs.c-14-\t\t\t\t\t const char __user *user_buf,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-20-\twiphy_lock(ath12k_ar_to_hw(ar)-\u003ewiphy);\ndrivers/net/wireless/ath/ath12k/debugfs.c:21:\tret = ath12k_wmi_simulate_radar(ar);\ndrivers/net/wireless/ath/ath12k/debugfs.c-22-\tif (ret)\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-30-\ndrivers/net/wireless/ath/ath12k/debugfs.c:31:static const struct file_operations fops_simulate_radar = {\ndrivers/net/wireless/ath/ath12k/debugfs.c:32:\t.write = ath12k_write_simulate_radar,\ndrivers/net/wireless/ath/ath12k/debugfs.c:33:\t.open = simple_open\ndrivers/net/wireless/ath/ath12k/debugfs.c-34-};\ndrivers/net/wireless/ath/ath12k/debugfs.c-35-\ndrivers/net/wireless/ath/ath12k/debugfs.c:36:static ssize_t ath12k_read_simulate_fw_crash(struct file *file,\ndrivers/net/wireless/ath/ath12k/debugfs.c-37-\t\t\t\t\t char __user *user_buf,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-40-\tconst char buf[] =\ndrivers/net/wireless/ath/ath12k/debugfs.c:41:\t\t\"To simulate firmware crash write one of the keywords to this file:\\n\"\ndrivers/net/wireless/ath/ath12k/debugfs.c-42-\t\t\"`assert` - send WMI_FORCE_FW_HANG_CMDID to firmware to cause assert.\\n\";\ndrivers/net/wireless/ath/ath12k/debugfs.c-43-\ndrivers/net/wireless/ath/ath12k/debugfs.c:44:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));\ndrivers/net/wireless/ath/ath12k/debugfs.c-45-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=47=static ssize_t\ndrivers/net/wireless/ath/ath12k/debugfs.c:48:ath12k_write_simulate_fw_crash(struct file *file,\ndrivers/net/wireless/ath/ath12k/debugfs.c-49-\t\t\t const char __user *user_buf,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-62-\ndrivers/net/wireless/ath/ath12k/debugfs.c:63:\trc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);\ndrivers/net/wireless/ath/ath12k/debugfs.c-64-\tif (rc \u003c 0)\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-81-\tif (!strcmp(buf, \"assert\")) {\ndrivers/net/wireless/ath/ath12k/debugfs.c:82:\t\tath12k_info(ab, \"simulating firmware assert crash\\n\");\ndrivers/net/wireless/ath/ath12k/debugfs.c-83-\t\tret = ath12k_wmi_force_fw_hang_cmd(ar,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-90-\tif (ret) {\ndrivers/net/wireless/ath/ath12k/debugfs.c:91:\t\tath12k_warn(ab, \"failed to simulate firmware crash: %d\\n\", ret);\ndrivers/net/wireless/ath/ath12k/debugfs.c-92-\t\treturn ret;\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-97-\ndrivers/net/wireless/ath/ath12k/debugfs.c:98:static const struct file_operations fops_simulate_fw_crash = {\ndrivers/net/wireless/ath/ath12k/debugfs.c:99:\t.read = ath12k_read_simulate_fw_crash,\ndrivers/net/wireless/ath/ath12k/debugfs.c:100:\t.write = ath12k_write_simulate_fw_crash,\ndrivers/net/wireless/ath/ath12k/debugfs.c:101:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs.c-102-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=783=static ssize_t ath12k_read_tpc_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-789-\ndrivers/net/wireless/ath/ath12k/debugfs.c:790:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-791-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=808=static const struct file_operations fops_tpc_stats_type = {\ndrivers/net/wireless/ath/ath12k/debugfs.c-809-\t.write = ath12k_write_tpc_stats_type,\ndrivers/net/wireless/ath/ath12k/debugfs.c:810:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs.c-811-\t.llseek = default_llseek,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=884=static ssize_t ath12k_read_extd_rx_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-896-\ndrivers/net/wireless/ath/ath12k/debugfs.c:897:\treturn simple_read_from_buffer(ubuf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-898-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=900=static const struct file_operations fops_extd_rx_stats = {\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-902-\t.write = ath12k_write_extd_rx_stats,\ndrivers/net/wireless/ath/ath12k/debugfs.c:903:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs.c-904-};\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=997=static ssize_t ath12k_read_link_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1003-\ndrivers/net/wireless/ath/ath12k/debugfs.c:1004:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1005-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1025=static ssize_t ath12k_debugfs_dump_device_dp_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1202-\ndrivers/net/wireless/ath/ath12k/debugfs.c:1203:\tret = simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1204-\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1208=static const struct file_operations fops_device_dp_stats = {\ndrivers/net/wireless/ath/ath12k/debugfs.c-1209-\t.read = ath12k_debugfs_dump_device_dp_stats,\ndrivers/net/wireless/ath/ath12k/debugfs.c:1210:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs.c-1211-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1215=void ath12k_debugfs_pdev_create(struct ath12k_base *ab)\ndrivers/net/wireless/ath/ath12k/debugfs.c-1216-{\ndrivers/net/wireless/ath/ath12k/debugfs.c:1217:\tdebugfs_create_file(\"simulate_fw_crash\", 0600, ab-\u003edebugfs_soc, ab,\ndrivers/net/wireless/ath/ath12k/debugfs.c:1218:\t\t\t \u0026fops_simulate_fw_crash);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1219-\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1250=void ath12k_debugfs_soc_destroy(struct ath12k_base *ab)\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1254-\t/* We are not removing ath12k directory on purpose, even if it\ndrivers/net/wireless/ath/ath12k/debugfs.c:1255:\t * would be empty. This simplifies the directory handling and it's\ndrivers/net/wireless/ath/ath12k/debugfs.c-1256-\t * a minor cosmetic issue to leave an empty ath12k directory to\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1307=static ssize_t ath12k_read_vdev_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1313-\ndrivers/net/wireless/ath/ath12k/debugfs.c:1314:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1315-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1374=static ssize_t ath12k_read_bcn_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1380-\ndrivers/net/wireless/ath/ath12k/debugfs.c:1381:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1382-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1435=static ssize_t ath12k_read_pdev_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1441-\ndrivers/net/wireless/ath/ath12k/debugfs.c:1442:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1443-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c=1472=void ath12k_debugfs_register(struct ath12k *ar)\n--\ndrivers/net/wireless/ath/ath12k/debugfs.c-1506-\tif (ar-\u003emac.sbands[NL80211_BAND_5GHZ].channels) {\ndrivers/net/wireless/ath/ath12k/debugfs.c:1507:\t\tdebugfs_create_file(\"dfs_simulate_radar\", 0200,\ndrivers/net/wireless/ath/ath12k/debugfs.c-1508-\t\t\t\t ar-\u003edebug.debugfs_pdev, ar,\ndrivers/net/wireless/ath/ath12k/debugfs.c:1509:\t\t\t\t \u0026fops_simulate_radar);\ndrivers/net/wireless/ath/ath12k/debugfs.c-1510-\t}\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c=6165=static ssize_t ath12k_read_htt_stats_type(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6179-\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c:6180:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6181-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c=6225=static const struct file_operations fops_htt_stats_type = {\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6227-\t.write = ath12k_write_htt_stats_type,\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c:6228:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6229-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c=6351=static ssize_t ath12k_read_htt_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6360-\tlength = min_t(u32, stats_req-\u003ebuf_len, ATH12K_HTT_STATS_BUF_SIZE);\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c:6361:\treturn simple_read_from_buffer(user_buf, count, ppos, buf, length);\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6362-}\n--\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c=6426=static const struct file_operations fops_htt_stats_reset = {\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6427-\t.write = ath12k_write_htt_stats_reset,\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c:6428:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs_htt_stats.c-6429-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c=139=static ssize_t ath12k_dbg_sta_dump_rx_stats(struct file *file,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-241-\tif (len)\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c:242:\t\tret = simple_read_from_buffer(user_buf, count, ppos, buf, len);\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-243-\treturn ret;\n--\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c=246=static const struct file_operations fops_rx_stats = {\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-247-\t.read = ath12k_dbg_sta_dump_rx_stats,\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c:248:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-249-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c=296=static const struct file_operations fops_reset_rx_stats = {\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-297-\t.write = ath12k_dbg_sta_reset_rx_stats,\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c:298:\t.open = simple_open,\ndrivers/net/wireless/ath/ath12k/debugfs_sta.c-299-\t.owner = THIS_MODULE,\n--\ndrivers/net/wireless/ath/ath12k/dp_peer.c=529=int ath12k_dp_link_peer_assign(struct ath12k_dp *dp, struct ath12k_dp_hw *dp_hw,\n--\ndrivers/net/wireless/ath/ath12k/dp_peer.c-592-\t\t * If old entry addition also fails, then nothing\ndrivers/net/wireless/ath/ath12k/dp_peer.c:593:\t\t * can be done, simply proceed\ndrivers/net/wireless/ath/ath12k/dp_peer.c-594-\t\t */\n--\ndrivers/net/wireless/ath/ath12k/mac.c=2372=static void ath12k_peer_assoc_h_vht(struct ath12k *ar,\n--\ndrivers/net/wireless/ath/ath12k/mac.c-2413-\ndrivers/net/wireless/ath/ath12k/mac.c:2414:\t/* TODO: similar flags required? */\ndrivers/net/wireless/ath/ath12k/mac.c-2415-\targ-\u003evht_capable = true;\n--\ndrivers/net/wireless/ath/ath12k/reg.c=269=int ath12k_regd_update(struct ath12k *ar, bool init)\n--\ndrivers/net/wireless/ath/ath12k/reg.c-337-\ndrivers/net/wireless/ath/ath12k/reg.c:338:\t/* firmware provides reg rules which are similar for 2 GHz and 5 GHz\ndrivers/net/wireless/ath/ath12k/reg.c-339-\t * pdev but 6 GHz pdev has superset of all rules including rules for\n--\ndrivers/net/wireless/ath/ath12k/wmi.c=10023=ath12k_wmi_send_unit_test_cmd(struct ath12k *ar,\n--\ndrivers/net/wireless/ath/ath12k/wmi.c-10075-\ndrivers/net/wireless/ath/ath12k/wmi.c:10076:int ath12k_wmi_simulate_radar(struct ath12k *ar)\ndrivers/net/wireless/ath/ath12k/wmi.c-10077-{\n--\ndrivers/net/wireless/ath/ath12k/wmi.c-10095-\t * Currently we could pass segment_id(b0 - b1), chirp(b2)\ndrivers/net/wireless/ath/ath12k/wmi.c:10096:\t * freq offset (b3 - b10) to unit test. For simulation\ndrivers/net/wireless/ath/ath12k/wmi.c-10097-\t * purpose this can be set to 0 which is valid.\n--\ndrivers/net/wireless/ath/ath12k/wmi.h=3665=enum wmi_sta_ps_mode {\n--\ndrivers/net/wireless/ath/ath12k/wmi.h-3677-/* type, 0:unused 1: ASSERT 2: not respond detect command\ndrivers/net/wireless/ath/ath12k/wmi.h:3678: * delay_time_ms, the simulate will delay time\ndrivers/net/wireless/ath/ath12k/wmi.h-3679- */\n--\ndrivers/net/wireless/ath/ath12k/wmi.h=6466=int ath12k_wmi_send_pdev_set_regdomain(struct ath12k *ar,\ndrivers/net/wireless/ath/ath12k/wmi.h-6467-\t\t\t\t struct ath12k_wmi_pdev_set_regdomain_arg *arg);\ndrivers/net/wireless/ath/ath12k/wmi.h:6468:int ath12k_wmi_simulate_radar(struct ath12k *ar);\ndrivers/net/wireless/ath/ath12k/wmi.h-6469-int ath12k_wmi_send_twt_enable_cmd(struct ath12k *ar, u32 pdev_id);\n"
} |
| 7/2 | 2026/07/03 16:27 | llm | patch-evaluator |
0mModel:gemini-3.1-pro-preview Args: null Results: null Tokens: input: 13637 output: 133 thoughts: 795 Thoughts: **Unreachable Code Paths in Virtualized Environments** Okay, so I'm looking at this patch for the `ath12k` driver. My initial thought is that this is for real hardware, specifically Qualcomm Wi-Fi 7 devices. I need to figure out if these code changes are worth fuzzing. I can see there are `simulate_radar` and `simulate_fw_crash` debugfs commands, but nothing like a full MAC/PHY simulation like `hwsim`. My instinct is that, no, they're not. I started to think about Syzkaller. It has a PCI fuzzer, and I wondered if that could be used on `ath12k`. Perhaps if the fuzzer could trigger WMI events by writing to MMIO, it might reach functions like `ath12k_chan_info_event`. But then I remembered that WMI events are complex structures sent via MHI or the Copy Engine. It's incredibly unlikely that a random MMIO write would emulate a valid WMI event sequence. Hmm, Syzkaller also has a mac80211 fuzzer (via hwsim). However, `hwsim` only fuzzes mac80211, not `ath12k`. I re-read the prompt. It says to return `WorthFuzzing=false` if the patch concerns "Code paths that are impossible to reach in virtualized environments like GCE or QEMU, even when utilizing software-emulated hardware (e.g., usb gadget, mac80211_hwsim)." Since `ath12k` is a hardware-specific driver for a PCI/AHB device, and there's no software emulation for it in QEMU/GCE, it's impossible to reach these code paths in a virtualized environment. Just to be sure, let me check. I know that `ath12k_mac_op_get_survey` is registered as a mac80211 callback. To register it, `ath12k_mac_register` must be called. `ath12k_mac_register` is called during device initialization (`ath12k_core_start`). Device initialization requires a real PCI/AHB device to probe, and then it communicates with the firmware to get capabilities before registering with mac80211. Without real hardware or a specific emulator, `ath12k_core_start` is going to fail early. It'll fail to load firmware, fail to initialize MHI, fail to get WMI ready. Therefore, the mac80211 callbacks for `ath12k` will never be registered in a virtualized environment. So yes, the code paths are impossible to reach. Okay, let me confirm this reasoning. The patch modifies the `ath12k` driver. It requires real hardware and firmware to boot. In a virtualized environment like GCE or QEMU without PCI passthrough of the specific hardware, the driver will not probe successfully. Even with Syzkaller's PCI fuzzer, it's practically impossible to pass the complex firmware boot sequence (MHI, QMI, WMI) to register the mac80211 device. Thus, the modified functions (`ath12k_mac_op_get_survey`, `ath12k_chan_info_event`, etc.) are unreachable. Therefore, `WorthFuzzing` should be `false`. Just to be absolutely sure, let me check if there is any other way. Is there a dummy or test mode in `ath12k`? I searched for "sim" and found `simulate_radar` and `simulate_fw_crash`, which are debugfs commands to send WMI commands to the firmware. They still require the firmware to be running. There is no `hwsim` equivalent for `ath12k`. So yes, it's unreachable. I'm going to set `WorthFuzzing=false` and provide this reasoning. |
| 8/2 | 2026/07/03 16:27 | tool | set-results |
0mArgs:{
"EnableConfigs": [],
"FocusSymbols": [],
"Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 PCIe/AHB devices. The modified code paths (mac80211 callbacks and WMI event handlers) require a successful device probe and firmware boot sequence (MHI, QMI, WMI) to be reachable. Since there is no software emulation for this hardware in virtualized environments like QEMU or GCE, these code paths are impossible to reach and fuzz.",
"WorthFuzzing": false
}Results: {
"EnableConfigs": null,
"FocusSymbols": [],
"Reasoning": "The patch modifies the ath12k driver, which is a hardware-specific driver for Qualcomm Wi-Fi 7 PCIe/AHB devices. The modified code paths (mac80211 callbacks and WMI event handlers) require a successful device probe and firmware boot sequence (MHI, QMI, WMI) to be reachable. Since there is no software emulation for this hardware in virtualized environments like QEMU or GCE, these code paths are impossible to reach and fuzz.",
"WorthFuzzing": false
} |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|