Message ID | 20230707105243.22824-1-dmantipov@yandex.ru |
---|---|
State | Superseded |
Headers | show |
Series | wifi: ath10k: fix memory leak in WMI management | expand |
Dmitry Antipov <dmantipov@yandex.ru> wrote: > Since 'mgmt_pending_tx' of 'struct ath10k_wmi' contains pointers > to dynamically allocated 'struct ath10k_mgmt_tx_pkt_addr' objects, > these objects should be explicitly freed when removing from idr > or when the whole idr is destroyed. > > Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> This needs testing on real hardware. Patch set to Changes Requested.
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c index 6b6aa3c36744..45a445c5f1df 100644 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c @@ -3038,11 +3038,18 @@ ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar, struct sk_buff *msdu) { struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu); + struct ath10k_mgmt_tx_pkt_addr *pkt_addr; struct ath10k_wmi *wmi = &ar->wmi; - idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id); + pkt_addr = idr_find(&wmi->mgmt_pending_tx, cb->msdu_id); + if (pkt_addr) { + idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id); + kfree(pkt_addr); + return 0; + } - return 0; + ath10k_warn(ar, "invalid msdu_id: %d\n", cb->msdu_id); + return -ENOENT; } static int diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 05fa7d4c0e1a..20534a7d6551 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -2433,9 +2433,9 @@ wmi_process_mgmt_tx_comp(struct ath10k *ar, struct mgmt_tx_compl_params *param) ieee80211_tx_status_irqsafe(ar->hw, msdu); ret = 0; - -out: idr_remove(&wmi->mgmt_pending_tx, param->desc_id); + kfree(pkt_addr); +out: spin_unlock_bh(&ar->data_lock); return ret; } @@ -9539,6 +9539,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_pending(int msdu_id, void *ptr, dma_unmap_single(ar->dev, pkt_addr->paddr, msdu->len, DMA_TO_DEVICE); ieee80211_free_txskb(ar->hw, msdu); + kfree(pkt_addr); return 0; }
Since 'mgmt_pending_tx' of 'struct ath10k_wmi' contains pointers to dynamically allocated 'struct ath10k_mgmt_tx_pkt_addr' objects, these objects should be explicitly freed when removing from idr or when the whole idr is destroyed. Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 11 +++++++++-- drivers/net/wireless/ath/ath10k/wmi.c | 5 +++-- 2 files changed, 12 insertions(+), 4 deletions(-)