Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp11919928rwl;
        Tue, 3 Jan 2023 06:40:19 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvBDocFbdiRM8fst86uzP2SVyByEv0x+S1IOGItJT6OOcdj5TQu3riHsGGr6wYLzaBOWBWV
X-Received: by 2002:a62:a21e:0:b0:581:95a7:d2f4 with SMTP id m30-20020a62a21e000000b0058195a7d2f4mr24368638pff.9.1672756819453;
        Tue, 03 Jan 2023 06:40:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672756819; cv=none;
        d=google.com; s=arc-20160816;
        b=G4QWYEKs3nVOZpLFhE4VtyBDmnSQT0IcxY1ghjTKAmR9GIzVZ8JbqB9E06EVHS5iIJ
         Pjp0q029Y9NwL1xQwMqZTDg8s1W5fO6G1n/sE+9IRy1SS54WJWEZGrE/NvNwdyxnqUMJ
         RacygEB6A9doR02Oib/XHLGPQlwpwOJgNX6PuiVgLOez2GESRHmsBhp01CdVM388EJG9
         gy7i28QedxWgHDYKua6gx0nGxoJOLJH7ub0kTNKhQ8f5r/UG6u2EnSzQcteiAReljmhr
         /NG/khqYrl+ZIulifpI/Qao0wohKVeODvwdXMmOeGUrxHzuui7Ur+oJz3BUsjUGJNfvg
         XVqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=rbCk1xfJaRKlVodLkbPs6bbcHj0yZFU+gxf1fDZnm4Y=;
        b=LATyH5v2OJCypGii/m4hElLnXCVCtn7HF+9QvN/0nlVKKv1q4vhu9RQQn+4lD9JV3/
         VFo/r+XUkXo4iZDOFSxZHJ4MtwvBd8EiN3kU4aPdGEVi7Wnj8N+T2PU80OXrjKYILoLi
         S8UdpMKV7WEiNzwAwwBsxgjWfDp8PKHGQ2qzuoH/X1JrQjP5gH1xaeqdHUuZch5x3cqr
         WxFbiak5nO/ECRqDK6F4D3Z60VlySM3aPoXcsHyZO8LF7bgDBmPbtp690+IvqG0IQZCY
         KQa6gXynoH0I9a6u6B0ovtYkUB8ZQq7Vb6+cmY6cSzRMtmeKfv2Vwsb45klNFH2qf+G6
         gt+g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=cmaA48Hq;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id o3-20020a056a001bc300b005816eb19ee2si20103003pfw.162.2023.01.03.06.40.11;
        Tue, 03 Jan 2023 06:40:19 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=cmaA48Hq;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237772AbjACOc6 (ORCPT <rfc822;jonatan.stofkoper@gmail.com>
        + 67 others); Tue, 3 Jan 2023 09:32:58 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46896 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S237946AbjACOct (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 3 Jan 2023 09:32:49 -0500
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BB230EE24;
        Tue,  3 Jan 2023 06:32:48 -0800 (PST)
Received: from fedcomp.. (unknown [46.242.14.200])
        by mail.ispras.ru (Postfix) with ESMTPSA id 2718A419E9EB;
        Tue,  3 Jan 2023 14:32:47 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 2718A419E9EB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1672756367;
        bh=rbCk1xfJaRKlVodLkbPs6bbcHj0yZFU+gxf1fDZnm4Y=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=cmaA48Hqic1MH6SCk96NoQQhTzjYYewzO2ZgEDCLo9Jc01G4YQHkQzmCV6+RtkghB
         I5g9RtgjNugmEnPqftz5Ko009tLys1iVA3Gu2O7n08abDwzn9yA17AvTDHETQIxA8J
         8nQOdf442BpzlRC9px+WDF+OWZC46SZnzNSLDl6Q=
From:   Fedor Pchelkin <pchelkin@ispras.ru>
To:     =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>,
        Kalle Valo <kvalo@kernel.org>
Cc:     Fedor Pchelkin <pchelkin@ispras.ru>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Sujith <Sujith.Manoharan@atheros.com>,
        "John W. Linville" <linville@tuxdriver.com>,
        Vasanthakumar Thiagarajan <vasanth@atheros.com>,
        Senthil Balasubramanian <senthilkumar@atheros.com>,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        lvc-project@linuxtesting.org,
        syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com,
        syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Subject: [PATCH v2] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
Date:   Tue,  3 Jan 2023 17:32:02 +0300
Message-Id: <20230103143202.274163-1-pchelkin@ispras.ru>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221228224047.146399-1-pchelkin@ispras.ru>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

It is stated that ath9k_htc_rx_msg() either frees the provided skb or
passes its management to another callback function. However, the skb is
not freed in case there is no another callback function, and Syzkaller was
able to cause a memory leak. Also minor comment fix.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com
Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
v1->v2: added Reported-by tag

 drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index ca05b07a45e6..7d5041eb5f29 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
  * HTC Messages are handled directly here and the obtained SKB
  * is freed.
  *
- * Service messages (Data, WMI) passed to the corresponding
+ * Service messages (Data, WMI) are passed to the corresponding
  * endpoint RX handlers, which have to free the SKB.
  */
 void ath9k_htc_rx_msg(struct htc_target *htc_handle,
@@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
 		if (endpoint->ep_callbacks.rx)
 			endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
 						  skb, epid);
+		else
+			kfree_skb(skb);
 	}
 }
 
-- 
2.34.1