CVE-2023-53199

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath9k: hif_usb: clean up skbs if ath9k_hif_usb_rx_stream() fails<br /> <br /> Syzkaller detected a memory leak of skbs in ath9k_hif_usb_rx_stream().<br /> While processing skbs in ath9k_hif_usb_rx_stream(), the already allocated<br /> skbs in skb_pool are not freed if ath9k_hif_usb_rx_stream() fails. If we<br /> have an incorrect pkt_len or pkt_tag, the input skb is considered invalid<br /> and dropped. All the associated packets already in skb_pool should be<br /> dropped and freed. Added a comment describing this issue.<br /> <br /> The patch also makes remain_skb NULL after being processed so that it<br /> cannot be referenced after potential free. The initialization of hif_dev<br /> fields which are associated with remain_skb (rx_remain_len,<br /> rx_transfer_len and rx_pad_len) is moved after a new remain_skb is<br /> allocated.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.