Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp5205537rwl; Wed, 28 Dec 2022 14:51:02 -0800 (PST) X-Google-Smtp-Source: AMrXdXtUvh7A2jFuTTwL06xkaOfccyDUeRiBflENAbIUkjuesVWbGr0xWRUdbODOpyUSAo3KNePk X-Received: by 2002:a17:907:c202:b0:7c1:19e3:9f21 with SMTP id ti2-20020a170907c20200b007c119e39f21mr20924590ejc.7.1672267862309; Wed, 28 Dec 2022 14:51:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672267862; cv=none; d=google.com; s=arc-20160816; b=rKNHNtUIP9S8wAP6ZCM4VVej3q6YnqmNAArAVWj+bfwk0TvNhsucsEc8RFNzcVCxb7 AlNxKlQdIjBNNUNJIRILejMvMBbdKh7kCOCr+E/THGbmXmnUtWWhsyhR75Ikgw6g5sPW clHoHYU2ZdwdL/MWvUpcW0hHVgajQV4z75AI6ntk1qbm3YYG0k036abcv9KNjuZqoyXn G4vXKH4d2VIUf3Gl7FgVOU7NhD66KlyNHo8BwDMq2p0plrb2B3+8dqVUmzglOtrU54Ql iaeJVTfUf+EE9okW7gVuS9cgKC42qyn6Cu9bnEWvIiz0Ei2Nqup5CSpFdiv49WV5UfbK t6Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=yAe/xSvn4I4BDY4nXAoWtF0FbwyCZJFaP8UyARdW5hU=; b=uDzqPPEDHauCd9peSTzBCdWFCC3rnTijJCuvYHXR5VGwIXWW3MWRcxej0JIs7nalz3 JgsmP98AqV9lHb+kOGJdbnV0NxUopooQ/ZIpJze3CLVNjZn6g/Gy+Z6y+ii6u3C6fx3m ugttH02KawzyoWDPe9GSOaa/BsrY7yIuwEEyH+FQ70hhmwDy4rfxz2ksKNUsbn7t6tTH EyP5nFTZhGpNC3nK4mODWVI8DnGvstgALPM0HkhFYHVy+FBt9nzGtnc+oJ9/uyXKn0Lw ZDI06UP8NtUnW3S3kz6dZpTsbit7r3Ssl77oExlNzkMYUrAsZc7Ifvm3bq1jZ6yniRQV ZIhg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=XaDnrIsU; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cr11-20020a170906d54b00b00787ad97302asi13541338ejc.863.2022.12.28.14.50.45; Wed, 28 Dec 2022 14:51:02 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=XaDnrIsU; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231578AbiL1WlE (ORCPT + 67 others); Wed, 28 Dec 2022 17:41:04 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229630AbiL1WlC (ORCPT ); Wed, 28 Dec 2022 17:41:02 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 82379258; Wed, 28 Dec 2022 14:41:01 -0800 (PST) Received: from fedcomp.intra.ispras.ru (unknown [46.242.14.200]) by mail.ispras.ru (Postfix) with ESMTPSA id EEA2940737D4; Wed, 28 Dec 2022 22:40:59 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru EEA2940737D4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1672267260; bh=yAe/xSvn4I4BDY4nXAoWtF0FbwyCZJFaP8UyARdW5hU=; h=From:To:Cc:Subject:Date:From; b=XaDnrIsUaEQAqsWu7EDbJqxAhW6D8aRfyNfPYxOn+01FDM2oLQeDNDuooar2h/ImU K+SLOZFcPjvPBBYc4OpKgcauRNnGQU9p7vQVlqUa1j7/suZJViRXY8GXbhtb4fhoKh lpOjywYp76syTpPKfwqjmIDcrYdSCtw7otTov0TI= From: Fedor Pchelkin To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo Cc: Fedor Pchelkin , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Sujith , "John W. Linville" , Vasanthakumar Thiagarajan , Senthil Balasubramanian , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org Subject: [PATCH] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function Date: Thu, 29 Dec 2022 01:40:47 +0300 Message-Id: <20221228224047.146399-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its management to another callback function. However, the skb is not freed in case there is no another callback function, and Syzkaller was able to cause a memory leak. Also minor comment fix. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov --- drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index ca05b07a45e6..7d5041eb5f29 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, * HTC Messages are handled directly here and the obtained SKB * is freed. * - * Service messages (Data, WMI) passed to the corresponding + * Service messages (Data, WMI) are passed to the corresponding * endpoint RX handlers, which have to free the SKB. */ void ath9k_htc_rx_msg(struct htc_target *htc_handle, @@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, if (endpoint->ep_callbacks.rx) endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, skb, epid); + else + kfree_skb(skb); } } -- 2.34.1