Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13167774rwl; Wed, 4 Jan 2023 04:37:16 -0800 (PST) X-Google-Smtp-Source: AMrXdXvpA7GU1sjrl5sBkHx2aHUx7S703/Hp2MWbDfTp0cMKCzNMLfHc5htyj+nTEQ/bsaIltsTv X-Received: by 2002:a17:902:6ac3:b0:192:f5f3:4edf with SMTP id i3-20020a1709026ac300b00192f5f34edfmr407902plt.38.1672835835955; Wed, 04 Jan 2023 04:37:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672835835; cv=none; d=google.com; s=arc-20160816; b=Og5qiQBKk1e9YzausLzGU2m1kuiKlz7zbeQX/H4N4wv6ftBP/iAlHCjBhfD8BsosEX 20RaDFFiCoKQj8n886gSQFRtaWLX1I5thQlK4oUFei92CN6C5hIM+aLtSB67tRm4zP2M z7QAj1ezWgkrG0js2prgi0zkQYa0sIyjjjkknxuIRS1G10mWb/WyfzDuNNH5ruJcy0VJ jU9BtGds9YMMipw0DTKON5yRaBpot6bWx3H6dVKtN9XkcHF6zE8LITQo66fGY/tGg51V lt3HX75U31j2XMBWq67MJVlG9T6bUxhKxXxGoI+c/KguvYKOIuB91/AZI6uDZ2yozSeC p5Rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=; b=dU64gCI5IBck4XNqOlZc5f7nBLBHfKanssYIWf+bFtgB89WFqzLO4hOI0hHhhIqTSd WDjtOofChEIiypPC6OGY8mDIkwi1Qk5VOMHXWFGMuTP5dnJE/HwlCry3MVDDB7928XHb 6PJJ4N56Krv3VB9RWWyuyefkE8ip3RWkVr8YAg6le8EPG8KagPXR+kw+HceiG7HQQrht FyRWd5Osg89BRQIGoWUPsTiyYLaMqmKjEjpbi/oUcBGZik/Lflv15vGAogHAQ9Zw+90s 8WNI6hgU9h/6FeKzAT62R+64xRf53JeNJ8aQjpdx1V3w2dn9Kiq5ZXLRWQJa1FgH9836 eiZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a9-20020a170902ee8900b001893efd3e00si32975694pld.49.2023.01.04.04.37.07; Wed, 04 Jan 2023 04:37:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239159AbjADMgU (ORCPT + 67 others); Wed, 4 Jan 2023 07:36:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55338 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239184AbjADMgG (ORCPT ); Wed, 4 Jan 2023 07:36:06 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06D1A121; Wed, 4 Jan 2023 04:36:02 -0800 (PST) Received: from fedcomp.. (unknown [46.242.14.200]) by mail.ispras.ru (Postfix) with ESMTPSA id 3D9CD419E9F2; Wed, 4 Jan 2023 12:36:00 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3D9CD419E9F2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1672835760; bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LQtkeGG+e0ADJ67wH+wfscc70YA0wnhYkVct07efADziPPFDYpFKSrBFvZV1U+i9w 1keHUD7aSUju+Og9o4ShlCypODiainL6ReQZ76Q0SNqiCJTrwEH/rQpOR/4jIDsJHj +3FNMUCnH9cRhsIBE47vrGrRk9xcHsabyAuYuXJM= From: Fedor Pchelkin To: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= , Kalle Valo Cc: Fedor Pchelkin , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Sujith , "John W. Linville" , Vasanthakumar Thiagarajan , Senthil Balasubramanian , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Alexey Khoroshilov , lvc-project@linuxtesting.org, syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com, syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com Subject: [PATCH v4] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function Date: Wed, 4 Jan 2023 15:35:46 +0300 Message-Id: <20230104123546.51427-1-pchelkin@ispras.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <87edsa32s6.fsf@toke.dk> References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org It is stated that ath9k_htc_rx_msg() either frees the provided skb or passes its management to another callback function. However, the skb is not freed in case there is no another callback function, and Syzkaller was able to cause a memory leak. Also minor comment fix. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov --- v1->v2: added Reported-by tag v2->v3: use 'goto invalid' instead of freeing skb in place v3->v4: fix lost comment drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c index ca05b07a45e6..fe62ff668f75 100644 --- a/drivers/net/wireless/ath/ath9k/htc_hst.c +++ b/drivers/net/wireless/ath/ath9k/htc_hst.c @@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, * HTC Messages are handled directly here and the obtained SKB * is freed. * - * Service messages (Data, WMI) passed to the corresponding + * Service messages (Data, WMI) are passed to the corresponding * endpoint RX handlers, which have to free the SKB. */ void ath9k_htc_rx_msg(struct htc_target *htc_handle, @@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, if (endpoint->ep_callbacks.rx) endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, skb, epid); + else + goto invalid; } } -- 2.34.1