[PATCH] firewire: core: propagate cycle-timer read failure in legacy ioctl

[Michael Bommarito]

The legacy FW_CDEV_IOC_GET_CYCLE_TIMER handler ioctl_get_cycle_timer()
reads into a local struct fw_cdev_get_cycle_timer2 via
ioctl_get_cycle_timer2() and then copies tv_sec, tv_nsec and cycle_timer
into the user-visible output, but it ignores the helper's return value.
Since commit bacf921c42bb ("firewire: core: use guard macro to disable
local IRQ") the helper returns early on fw_card_read_cycle_time()
failure (for example -ENODEV after the dummy card driver is swapped in
during controller removal) without writing those fields, so the wrapper
copies out the uninitialized local: 12 of the 16 user-visible bytes are
uninitialized kernel stack. The non-legacy ioctl already returns the
error on this path.

Propagate the helper return value so no output is copied on failure.

Reproduced under KMSAN; the legacy wrapper no longer returns
uninitialized cycle-timer bytes after this change.

Fixes: bacf921c42bb ("firewire: core: use guard macro to disable local IRQ")
Cc: stable@xxxxxxxxxxxxxxx # v6.12+
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
---
Reproduction (v7.1-rc4, x86_64 QEMU, CONFIG_KMSAN=y, stack auto-init off):

With fw_card_read_cycle_time() forced to fail, the stock legacy handler
returns 0 and KMSAN reports the uninitialized local being stored to the
output:

  BUG: KMSAN: uninit-value in ioctl_get_cycle_timer
  Local variable ct2 created at: ioctl_get_cycle_timer

The leaked output is local_time (8 bytes, bytes 0-7, computed from the
uninitialized tv_sec/tv_nsec) and cycle_timer (4 bytes, bytes 8-11,
copied verbatim). After this change the handler returns -ENODEV and the
KMSAN reports are gone; a success-path control stays clean.

 drivers/firewire/core-cdev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index f791db4c8dfff..1d80e30cb681e 100644
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -1283,9 +1283,12 @@ static int ioctl_get_cycle_timer(struct client *client, union ioctl_arg *arg)
 {
 	struct fw_cdev_get_cycle_timer *a = &arg->get_cycle_timer;
 	struct fw_cdev_get_cycle_timer2 ct2;
+	int ret;
 
 	ct2.clk_id = CLOCK_REALTIME;
-	ioctl_get_cycle_timer2(client, (union ioctl_arg *)&ct2);
+	ret = ioctl_get_cycle_timer2(client, (union ioctl_arg *)&ct2);
+	if (ret < 0)
+		return ret;
 
 	a->local_time = ct2.tv_sec * USEC_PER_SEC + ct2.tv_nsec / NSEC_PER_USEC;
 	a->cycle_timer = ct2.cycle_timer;

base-commit: e24a98d6884a6e4203a77a94f070a59fcab95208
-- 
2.53.0