Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13147891rwl; Wed, 4 Jan 2023 04:19:15 -0800 (PST) X-Google-Smtp-Source: AMrXdXuWjBFfWLYBZEzVaj/MfbnujD3oClJuhID4BE8OBbbmI7Zcmiwd4WRq7eysiCL3GKMT/22O X-Received: by 2002:a17:906:158c:b0:7c4:f752:e959 with SMTP id k12-20020a170906158c00b007c4f752e959mr38689942ejd.33.1672834755190; Wed, 04 Jan 2023 04:19:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672834755; cv=none; d=google.com; s=arc-20160816; b=KuqUDPQ0M/g+vEu9HFFfsLK3I1Xx1jP/hbh/JsnPy4K2lNZIP28ELOlfi9eWdJTLyP xlLHmoX2oyIU29NQ1uzUtV7oJvPRYsMcuJkijl8alhWq6luJwhJCxJJQej342DLwJgoM nIhfg3MCE3+oQoaqgu239Zzdencq56xjKxjndFEsdlpuCciRFYw9oL/zQKxT3r/9l2F5 A0rHaU4phmQEvfQZjxa02+DSOIMy6t/3zrkP3axh0OumiYZs2f1j/ncvKd/Kb+WMVYNN gD4sfUlK8OjH0tUw0uJg0umPbfc28J/HOAwekT+l1BNnusYaA/zSeDljvRBgELlWpuxD DRmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=Z6aS5qwzvrT0EpnS1M75E2ZCaAMxUHd9r+HBXrqbyEI=; b=kDWFwdWQ38AXUZaQGmvPSC39ZwSzh9SbV/hTXJUtvMt6lapIXh4+V9kV08DA3dW7G2 H7GBXQRnIMF8v51VCrMRV9BvOWzroWmLLJqMpRq3qu6AERHefMYwloS7Xvs9l/UqYbI5 C9RyrrijNurYS737ZNJ/lYFFuvYzbFRJEbCphbul+/+yfisviUznTPUtju9oPQEfl2/9 RPrOobAkx97AsZdkQF/wToo25b5S5dKsY6z9gwQCqDij6glevYCHvqe3Ub92OOdgKZuP PxkDQwE+ywUU0Mm0sd8cde3BpD738YyrDruQQmnVh3VNdvsfVK1GVJt6GdA0bszvMGbR VRaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=NGRgfg+j; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ww6-20020a170907084600b007a7d37e4681si27877298ejb.845.2023.01.04.04.18.53; Wed, 04 Jan 2023 04:19:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=NGRgfg+j; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234873AbjADMQU (ORCPT + 67 others); Wed, 4 Jan 2023 07:16:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234726AbjADMQR (ORCPT ); Wed, 4 Jan 2023 07:16:17 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A719F016; Wed, 4 Jan 2023 04:16:16 -0800 (PST) Received: from fedcomp.. (unknown [46.242.14.200]) by mail.ispras.ru (Postfix) with ESMTPSA id 4DF7D419E9CB; Wed, 4 Jan 2023 12:16:10 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 4DF7D419E9CB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1672834570; bh=Z6aS5qwzvrT0EpnS1M75E2ZCaAMxUHd9r+HBXrqbyEI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NGRgfg+jgxe1kSHwci/iiw6fMSJJpkpM1F9rNjloL3XOiDp9BcJ1WsRyqJsIadf/r 4koYwwmC1SkBuRFq7fxtghx588QHzzzkJl6muwt/7OYdkWrVesYIScCQizYx+Cyueo cevtkGepSizm2VSYlYfHjKaGQHCbnA14P2TJn5J4= From: Fedor Pchelkin To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo Cc: Fedor Pchelkin , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Sujith , "John W. Linville" , Vasanthakumar Thiagarajan , Senthil Balasubramanian , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org, syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com, syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com Subject: [PATCH v3] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function Date: Wed, 4 Jan 2023 15:15:58 +0300 Message-Id: <20230104121558.38969-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230103224815.304147-1-pchelkin@ispras.ru> References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its management to another callback function. However, the skb is not freed in case there is no another callback function, and Syzkaller was able to cause a memory leak. Also minor comment fix. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov --- v1->v2: added Reported-by tag v2->v3: use 'goto invalid' instead of freeing skb in place drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index ca05b07a45e6..0c95f6b145ff 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, if (endpoint->ep_callbacks.rx) endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, skb, epid); + else + goto invalid; } } -- 2.34.1