Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp13167774rwl;
        Wed, 4 Jan 2023 04:37:16 -0800 (PST)
X-Google-Smtp-Source: AMrXdXvpA7GU1sjrl5sBkHx2aHUx7S703/Hp2MWbDfTp0cMKCzNMLfHc5htyj+nTEQ/bsaIltsTv
X-Received: by 2002:a17:902:6ac3:b0:192:f5f3:4edf with SMTP id i3-20020a1709026ac300b00192f5f34edfmr407902plt.38.1672835835955;
        Wed, 04 Jan 2023 04:37:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672835835; cv=none;
        d=google.com; s=arc-20160816;
        b=Og5qiQBKk1e9YzausLzGU2m1kuiKlz7zbeQX/H4N4wv6ftBP/iAlHCjBhfD8BsosEX
         20RaDFFiCoKQj8n886gSQFRtaWLX1I5thQlK4oUFei92CN6C5hIM+aLtSB67tRm4zP2M
         z7QAj1ezWgkrG0js2prgi0zkQYa0sIyjjjkknxuIRS1G10mWb/WyfzDuNNH5ruJcy0VJ
         jU9BtGds9YMMipw0DTKON5yRaBpot6bWx3H6dVKtN9XkcHF6zE8LITQo66fGY/tGg51V
         lt3HX75U31j2XMBWq67MJVlG9T6bUxhKxXxGoI+c/KguvYKOIuB91/AZI6uDZ2yozSeC
         p5Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=;
        b=dU64gCI5IBck4XNqOlZc5f7nBLBHfKanssYIWf+bFtgB89WFqzLO4hOI0hHhhIqTSd
         WDjtOofChEIiypPC6OGY8mDIkwi1Qk5VOMHXWFGMuTP5dnJE/HwlCry3MVDDB7928XHb
         6PJJ4N56Krv3VB9RWWyuyefkE8ip3RWkVr8YAg6le8EPG8KagPXR+kw+HceiG7HQQrht
         FyRWd5Osg89BRQIGoWUPsTiyYLaMqmKjEjpbi/oUcBGZik/Lflv15vGAogHAQ9Zw+90s
         8WNI6hgU9h/6FeKzAT62R+64xRf53JeNJ8aQjpdx1V3w2dn9Kiq5ZXLRWQJa1FgH9836
         eiZg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a9-20020a170902ee8900b001893efd3e00si32975694pld.49.2023.01.04.04.37.07;
        Wed, 04 Jan 2023 04:37:15 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239159AbjADMgU (ORCPT <rfc822;jonatan.stofkoper@gmail.com>
        + 67 others); Wed, 4 Jan 2023 07:36:20 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55338 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239184AbjADMgG (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Wed, 4 Jan 2023 07:36:06 -0500
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06D1A121;
        Wed,  4 Jan 2023 04:36:02 -0800 (PST)
Received: from fedcomp.. (unknown [46.242.14.200])
        by mail.ispras.ru (Postfix) with ESMTPSA id 3D9CD419E9F2;
        Wed,  4 Jan 2023 12:36:00 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3D9CD419E9F2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1672835760;
        bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LQtkeGG+e0ADJ67wH+wfscc70YA0wnhYkVct07efADziPPFDYpFKSrBFvZV1U+i9w
         1keHUD7aSUju+Og9o4ShlCypODiainL6ReQZ76Q0SNqiCJTrwEH/rQpOR/4jIDsJHj
         +3FNMUCnH9cRhsIBE47vrGrRk9xcHsabyAuYuXJM=
From:   Fedor Pchelkin <pchelkin@ispras.ru>
To:     =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>,
        Kalle Valo <kvalo@kernel.org>
Cc:     Fedor Pchelkin <pchelkin@ispras.ru>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Sujith <Sujith.Manoharan@atheros.com>,
        "John W. Linville" <linville@tuxdriver.com>,
        Vasanthakumar Thiagarajan <vasanth@atheros.com>,
        Senthil Balasubramanian <senthilkumar@atheros.com>,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        lvc-project@linuxtesting.org,
        syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com,
        syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Subject: [PATCH v4] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
Date:   Wed,  4 Jan 2023 15:35:46 +0300
Message-Id: <20230104123546.51427-1-pchelkin@ispras.ru>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <87edsa32s6.fsf@toke.dk>
References: 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

It is stated that ath9k_htc_rx_msg() either frees the provided skb or
passes its management to another callback function. However, the skb is
not freed in case there is no another callback function, and Syzkaller was
able to cause a memory leak. Also minor comment fix.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com
Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
v1->v2: added Reported-by tag
v2->v3: use 'goto invalid' instead of freeing skb in place
v3->v4: fix lost comment

 drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index ca05b07a45e6..fe62ff668f75 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
  * HTC Messages are handled directly here and the obtained SKB
  * is freed.
  *
- * Service messages (Data, WMI) passed to the corresponding
+ * Service messages (Data, WMI) are passed to the corresponding
  * endpoint RX handlers, which have to free the SKB.
  */
 void ath9k_htc_rx_msg(struct htc_target *htc_handle,
@@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
 		if (endpoint->ep_callbacks.rx)
 			endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
 						  skb, epid);
+		else
+			goto invalid;
 	}
 }
 
-- 
2.34.1