Fedor Pchelkin <[email protected]> writes:
> Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().
> While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated
> skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we
> have an incorrect pkt_len or pkt_tag, the input skb is considered invalid
> and dropped. All the associated packets already in skb_pool should be
> dropped and freed. Added a comment describing this issue.
>
> The patch also makes remain_skb NULL after being processed so that it
> cannot be referenced after potential free. The initialization of hif_dev
> fields which are associated with remain_skb (rx_remain_len,
> rx_transfer_len and rx_pad_len) is moved after a new remain_skb is
> allocated.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: 6ce708f54cc8 ("ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream")
> Fixes: 44b23b488d44 ("ath9k: hif_usb: Reduce indent 1 column")
> Reported-by: [email protected]
> Signed-off-by: Fedor Pchelkin <[email protected]>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
Acked-by: Toke Høiland-Jørgensen <[email protected]>