Fedor Pchelkin <pchelkin@xxxxxxxxx> wrote:
> It is stated that ath9k_htc_rx_msg() either frees the provided skb or
> passes its management to another callback function. However, the skb is
> not freed in case there is no another callback function, and Syzkaller was
> able to cause a memory leak. Also minor comment fix.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Reported-by: syzbot+e008dccab31bd3647609@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-by: syzbot+6692c72009680f7c4eb2@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
> Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
> Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
Patch applied to ath-next branch of ath.git, thanks.
9b25e3985477 wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
--
https://patchwork.kernel.org/project/linux-wireless/patch/20230104123546.51427-1-pchelkin@xxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
