From patchwork Wed Jan  4 12:35:46 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Fedor Pchelkin <pchelkin@ispras.ru>
X-Patchwork-Id: 38893
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp5120072wrt;
        Wed, 4 Jan 2023 04:37:48 -0800 (PST)
X-Google-Smtp-Source: 
 AMrXdXutpHWsOtKasB/v690l4bClI6b5YOeYIRbgZFboDcuVelHVbePpZC2VQqaFvmvz/NoZui14
X-Received: by 2002:a17:902:ec89:b0:18b:ed3f:c6ca with SMTP id
 x9-20020a170902ec8900b0018bed3fc6camr68205937plg.12.1672835867779;
        Wed, 04 Jan 2023 04:37:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1672835867; cv=none;
        d=google.com; s=arc-20160816;
        b=BqrXGXV1HiaKKZAO0/ijIr/P47E1yPCL5//AIGmDvTXlJVTmnnKdpo9X5NkEpjcw8z
         0yQlMLtMy9c6+DRTEn6QO9SjR9tvnIS+ufQa2OXvmP3cZBr1N/3K5yI0bSqtchDLPl0q
         G8VStx0MSpl6CnDcpfRnRY6TmiYvcJ4U7L51Cxy+oWAf+8X4ZxHm2f8RDMPmMM4w4j0v
         s9/fZ83EwJNMEhrxsWb9uhcO4Kt2IYyeIsRlINfUHMKYvbTyyppjHtU40VIZdlKYWOnX
         v3r8JnCeyFrY1HkNTzG0iOAZQ51zfnRKqOLRLj5S2pmxDECqHS5zGgyBUc0UO3/axdeT
         F/sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=;
        b=GBGo5V3xmX3JiKCT4H2IQbgONvpjUwVmFroD/zAly1mUgDMD4TK+uWrQD2PAs9GD4m
         sgAsE8lYeRkVu4WjWByAFzNlM/OcYb6Dttr3GzfKqCk1td0zt3UzUVINsmOxgDIK98g1
         9DWbyxrAXR0wOdXMoGjh3/BVyOzaazLXlLWKY02ZT2KU3QnveFkIcv3hxJsncfB/Fri0
         LTwMETX0IRm/D7QbdpCrdYc3QerfleQXR0lbvkYTP1BodhgMtniW7JxqBnRAGmhnvxOf
         jZDFGPuaPHbXQnd1sL8d/fLtq1YVl8bFFxQFdcFPgqEqSYjS8WNYMJOP0ggmMVXp4Rd0
         zv0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 z8-20020a170902708800b00186827cc5e9si32992637plk.562.2023.01.04.04.37.35;
        Wed, 04 Jan 2023 04:37:47 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=LQtkeGG+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239189AbjADMgW (ORCPT <rfc822;tmhikaru@gmail.com> + 99 others);
        Wed, 4 Jan 2023 07:36:22 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55338 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239184AbjADMgG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Jan 2023 07:36:06 -0500
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06D1A121;
        Wed,  4 Jan 2023 04:36:02 -0800 (PST)
Received: from fedcomp.. (unknown [46.242.14.200])
        by mail.ispras.ru (Postfix) with ESMTPSA id 3D9CD419E9F2;
        Wed,  4 Jan 2023 12:36:00 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 3D9CD419E9F2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1672835760;
        bh=c8/iV3m2yGN3qQpe5hfIWuQeZ/mvresc+PA7yEvfDgQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LQtkeGG+e0ADJ67wH+wfscc70YA0wnhYkVct07efADziPPFDYpFKSrBFvZV1U+i9w
         1keHUD7aSUju+Og9o4ShlCypODiainL6ReQZ76Q0SNqiCJTrwEH/rQpOR/4jIDsJHj
         +3FNMUCnH9cRhsIBE47vrGrRk9xcHsabyAuYuXJM=
From: Fedor Pchelkin <pchelkin@ispras.ru>
To: =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>,
 Kalle Valo <kvalo@kernel.org>
Cc: Fedor Pchelkin <pchelkin@ispras.ru>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Sujith <Sujith.Manoharan@atheros.com>,
        "John W. Linville" <linville@tuxdriver.com>,
        Vasanthakumar Thiagarajan <vasanth@atheros.com>,
        Senthil Balasubramanian <senthilkumar@atheros.com>,
        linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        lvc-project@linuxtesting.org,
        syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com,
        syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Subject: [PATCH v4] wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if
 there is no callback function
Date: Wed,  4 Jan 2023 15:35:46 +0300
Message-Id: <20230104123546.51427-1-pchelkin@ispras.ru>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <87edsa32s6.fsf@toke.dk>
References: 
MIME-Version: 1.0
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1753500085735647785?=
X-GMAIL-MSGID: =?utf-8?q?1754095542901229059?=

It is stated that ath9k_htc_rx_msg() either frees the provided skb or
passes its management to another callback function. However, the skb is
not freed in case there is no another callback function, and Syzkaller was
able to cause a memory leak. Also minor comment fix.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com
Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
---
v1->v2: added Reported-by tag
v2->v3: use 'goto invalid' instead of freeing skb in place
v3->v4: fix lost comment

 drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index ca05b07a45e6..fe62ff668f75 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -391,7 +391,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle,
  * HTC Messages are handled directly here and the obtained SKB
  * is freed.
  *
- * Service messages (Data, WMI) passed to the corresponding
+ * Service messages (Data, WMI) are passed to the corresponding
  * endpoint RX handlers, which have to free the SKB.
  */
 void ath9k_htc_rx_msg(struct htc_target *htc_handle,
@@ -478,6 +478,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle,
 		if (endpoint->ep_callbacks.rx)
 			endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv,
 						  skb, epid);
+		else
+			goto invalid;
 	}
 }