CVE-2023-53641

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: hifusb: fix memory leak of remainskbs

hifdev->remainskb is allocated and used exclusively in ath9khifusbrxstream(). It is implied that an allocated remainskb is processed and subsequently freed (in error paths) only during the next call of ath9khifusbrx_stream().

So, if the urbs are deallocated between those two calls due to the device deinitialization or suspend, it is possible that ath9khifusbrxstream() is not called next time and the allocated remain_skb is leaked. Our local Syzkaller instance was able to trigger that.

remainskb makes sense when receiving two consecutive urbs which are logically linked together, i.e. a specific data field from the first skb indicates a cached skb to be allocated, memcpy'd with some data and subsequently processed in the next call to ath9khifusbrx_stream(). Urbs deallocation supposedly makes that link irrelevant so we need to free the cached skb in those cases.

Fix the leak by introducing a function to explicitly free remainskb (if it is not NULL) when the rx urbs have been deallocated. remainskb is NULL when it has not been allocated at all (hifdev struct is kzalloced) or when it has been processed in next call to ath9khifusbrx_stream().

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.