diff mbox series

[2/3] wifi: ath11k: fix leaking peer->tfm_mmic in reset scenario

Message ID 20240826014942.87783-3-quic_bqiang@quicinc.com
State New
Headers show
Series wifi: ath11k: fix memory leak in reset scenario | expand

Commit Message

Baochen Qiang Aug. 26, 2024, 1:49 a.m. UTC
Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(),
when the corresponding station transit from NONE to NOTEXIST state within
ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for
it to go through such transition. Further, during reset, we call
ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic:

Kmemleak reports:
unreferenced object 0xffff9a3ca7828d00 (size 64):
  backtrace (crc 4a016586):
    __kmalloc_node_noprof+0x38f/0x480
    crypto_alloc_tfmmem.isra.0+0x2e/0x60
    crypto_create_tfm_node+0x29/0xe0
    crypto_alloc_tfm_node+0x5d/0x130
    ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k]
    ath11k_dp_peer_setup+0x82/0x160 [ath11k]
    ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k]
    drv_sta_state+0x11e/0x9c0 [mac80211]
    sta_info_insert_rcu+0x469/0x880 [mac80211]
    sta_info_insert+0x10/0x80 [mac80211]
    ieee80211_prep_connection+0x295/0x950 [mac80211]
    ieee80211_mgd_auth+0x230/0x5a0 [mac80211]
    cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211]

In order to fix it we need to call crypto_free_shash() as well in
ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is
also called there, we can simply replace it with ath11k_dp_peer_cleanup().

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30

Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
---
 drivers/net/wireless/ath/ath11k/mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Karthikeyan Periyasamy Aug. 28, 2024, 12:33 a.m. UTC | #1
On 8/26/2024 7:19 AM, Baochen Qiang wrote:
> Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(),
> when the corresponding station transit from NONE to NOTEXIST state within
> ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for
> it to go through such transition. Further, during reset, we call
> ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic:
> 
> Kmemleak reports:
> unreferenced object 0xffff9a3ca7828d00 (size 64):
>    backtrace (crc 4a016586):
>      __kmalloc_node_noprof+0x38f/0x480
>      crypto_alloc_tfmmem.isra.0+0x2e/0x60
>      crypto_create_tfm_node+0x29/0xe0
>      crypto_alloc_tfm_node+0x5d/0x130
>      ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k]
>      ath11k_dp_peer_setup+0x82/0x160 [ath11k]
>      ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k]
>      drv_sta_state+0x11e/0x9c0 [mac80211]
>      sta_info_insert_rcu+0x469/0x880 [mac80211]
>      sta_info_insert+0x10/0x80 [mac80211]
>      ieee80211_prep_connection+0x295/0x950 [mac80211]
>      ieee80211_mgd_auth+0x230/0x5a0 [mac80211]
>      cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211]
> 
> In order to fix it we need to call crypto_free_shash() as well in
> ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is
> also called there, we can simply replace it with ath11k_dp_peer_cleanup().
> 
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
> 
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com>
> ---
>   drivers/net/wireless/ath/ath11k/mac.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
> index f1dff26bc237..f21d37cefb65 100644
> --- a/drivers/net/wireless/ath/ath11k/mac.c
> +++ b/drivers/net/wireless/ath/ath11k/mac.c
> @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar)
>   	mutex_lock(&ab->tbl_mtx_lock);
>   	spin_lock_bh(&ab->base_lock);
>   	list_for_each_entry_safe(peer, tmp, &ab->peers, list) {
> -		ath11k_peer_rx_tid_cleanup(ar, peer);
> +		ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr);

peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not 
cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. 
Instead its freed in ath11k_dp_peer_cleanup(). can you refactor 
allocation/deallocation symmetric funcs ?
Jeff Johnson Jan. 10, 2025, 7:15 p.m. UTC | #2
On 8/27/2024 5:33 PM, Karthikeyan Periyasamy wrote:
> On 8/26/2024 7:19 AM, Baochen Qiang wrote:
...
>> @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar)
>>   	mutex_lock(&ab->tbl_mtx_lock);
>>   	spin_lock_bh(&ab->base_lock);
>>   	list_for_each_entry_safe(peer, tmp, &ab->peers, list) {
>> -		ath11k_peer_rx_tid_cleanup(ar, peer);
>> +		ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr);
> 
> peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not 
> cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. 
> Instead its freed in ath11k_dp_peer_cleanup(). can you refactor 
> allocation/deallocation symmetric funcs ?

There was no action on this review comment.

Do you plan on submitting a v2?

/jeff
Baochen Qiang Jan. 15, 2025, 8:09 a.m. UTC | #3
On 1/11/2025 3:15 AM, Jeff Johnson wrote:
> On 8/27/2024 5:33 PM, Karthikeyan Periyasamy wrote:
>> On 8/26/2024 7:19 AM, Baochen Qiang wrote:
> ...
>>> @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar)
>>>   	mutex_lock(&ab->tbl_mtx_lock);
>>>   	spin_lock_bh(&ab->base_lock);
>>>   	list_for_each_entry_safe(peer, tmp, &ab->peers, list) {
>>> -		ath11k_peer_rx_tid_cleanup(ar, peer);
>>> +		ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr);
>>
>> peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not 
>> cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. 
>> Instead its freed in ath11k_dp_peer_cleanup(). can you refactor 
>> allocation/deallocation symmetric funcs ?
> 
> There was no action on this review comment.
> 
> Do you plan on submitting a v2?

sorry for not manage to respond timely.

Regarding this comment, my impression is that peer->tfm_mmic is not the only filed being
non-symmetric, and it is not easy to refactor it to achieve symmetry. So my plan is to
leave the patch as is, and a separate patch could be cooked in the future if we want to do
refactor.

> 
> /jeff
>
diff mbox series

Patch

diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index f1dff26bc237..f21d37cefb65 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -883,7 +883,7 @@  void ath11k_mac_peer_cleanup_all(struct ath11k *ar)
 	mutex_lock(&ab->tbl_mtx_lock);
 	spin_lock_bh(&ab->base_lock);
 	list_for_each_entry_safe(peer, tmp, &ab->peers, list) {
-		ath11k_peer_rx_tid_cleanup(ar, peer);
+		ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr);
 		ath11k_peer_rhash_delete(ab, peer);
 		list_del(&peer->list);
 		kfree(peer);