| Message ID | 4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org |
|---|---|
| State | New |
| Headers | show |
| Series | [wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment() | expand |
Lorenzo Bianconi <lorenzo@kernel.org> wrote: > Fix a memory leak in mt76_add_fragment routine returning the buffer > to the page_frag_cache when we receive a new fragment and the > skb_shared_info frag array is full. > > Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet") > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> I assigned this to me on patchwork and queued for v5.11. Felix, can you ack?
Lorenzo Bianconi <lorenzo@kernel.org> wrote: > Fix a memory leak in mt76_add_fragment routine returning the buffer > to the page_frag_cache when we receive a new fragment and the > skb_shared_info frag array is full. > > Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet") > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> > Acked-by: Felix Fietkau <nbd@nbd.name> Patch applied to wireless-drivers.git, thanks. 93a1d4791c10 mt76: dma: fix a possible memory leak in mt76_add_fragment() -- https://patchwork.kernel.org/project/linux-wireless/patch/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c index 73eeb00d5aa6..e81dfaf99bcb 100644 --- a/drivers/net/wireless/mediatek/mt76/dma.c +++ b/drivers/net/wireless/mediatek/mt76/dma.c @@ -509,15 +509,17 @@ static void mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, int len, bool more) { - struct page *page = virt_to_head_page(data); - int offset = data - page_address(page); struct sk_buff *skb = q->rx_head; struct skb_shared_info *shinfo = skb_shinfo(skb); if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) { - offset += q->buf_offset; + struct page *page = virt_to_head_page(data); + int offset = data - page_address(page) + q->buf_offset; + skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len, q->buf_size); + } else { + skb_free_frag(data); } if (more)
Fix a memory leak in mt76_add_fragment routine returning the buffer to the page_frag_cache when we receive a new fragment and the skb_shared_info frag array is full. Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> --- drivers/net/wireless/mediatek/mt76/dma.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)