@@ -3038,11 +3038,18 @@ ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
struct sk_buff *msdu)
{
struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
+ struct ath10k_mgmt_tx_pkt_addr *pkt_addr;
struct ath10k_wmi *wmi = &ar->wmi;
- idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
+ pkt_addr = idr_find(&wmi->mgmt_pending_tx, cb->msdu_id);
+ if (pkt_addr) {
+ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
+ kfree(pkt_addr);
+ return 0;
+ }
- return 0;
+ ath10k_warn(ar, "invalid msdu_id: %d\n", cb->msdu_id);
+ return -ENOENT;
}
static int
@@ -2433,9 +2433,9 @@ wmi_process_mgmt_tx_comp(struct ath10k *ar, struct mgmt_tx_compl_params *param)
ieee80211_tx_status_irqsafe(ar->hw, msdu);
ret = 0;
-
-out:
idr_remove(&wmi->mgmt_pending_tx, param->desc_id);
+ kfree(pkt_addr);
+out:
spin_unlock_bh(&ar->data_lock);
return ret;
}
@@ -9539,6 +9539,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_pending(int msdu_id, void *ptr,
dma_unmap_single(ar->dev, pkt_addr->paddr,
msdu->len, DMA_TO_DEVICE);
ieee80211_free_txskb(ar->hw, msdu);
+ kfree(pkt_addr);
return 0;
}
Since 'mgmt_pending_tx' of 'struct ath10k_wmi' contains pointers to dynamically allocated 'struct ath10k_mgmt_tx_pkt_addr' objects, these objects should be explicitly freed when removing from idr or when the whole idr is destroyed. Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event") Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 11 +++++++++-- drivers/net/wireless/ath/ath10k/wmi.c | 5 +++-- 2 files changed, 12 insertions(+), 4 deletions(-)