Message ID | 20240826014942.87783-3-quic_bqiang@quicinc.com |
---|---|
State | New |
Headers | show |
Series | wifi: ath11k: fix memory leak in reset scenario | expand |
On 8/26/2024 7:19 AM, Baochen Qiang wrote: > Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(), > when the corresponding station transit from NONE to NOTEXIST state within > ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for > it to go through such transition. Further, during reset, we call > ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic: > > Kmemleak reports: > unreferenced object 0xffff9a3ca7828d00 (size 64): > backtrace (crc 4a016586): > __kmalloc_node_noprof+0x38f/0x480 > crypto_alloc_tfmmem.isra.0+0x2e/0x60 > crypto_create_tfm_node+0x29/0xe0 > crypto_alloc_tfm_node+0x5d/0x130 > ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k] > ath11k_dp_peer_setup+0x82/0x160 [ath11k] > ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k] > drv_sta_state+0x11e/0x9c0 [mac80211] > sta_info_insert_rcu+0x469/0x880 [mac80211] > sta_info_insert+0x10/0x80 [mac80211] > ieee80211_prep_connection+0x295/0x950 [mac80211] > ieee80211_mgd_auth+0x230/0x5a0 [mac80211] > cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211] > > In order to fix it we need to call crypto_free_shash() as well in > ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is > also called there, we can simply replace it with ath11k_dp_peer_cleanup(). > > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 > > Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> > --- > drivers/net/wireless/ath/ath11k/mac.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c > index f1dff26bc237..f21d37cefb65 100644 > --- a/drivers/net/wireless/ath/ath11k/mac.c > +++ b/drivers/net/wireless/ath/ath11k/mac.c > @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar) > mutex_lock(&ab->tbl_mtx_lock); > spin_lock_bh(&ab->base_lock); > list_for_each_entry_safe(peer, tmp, &ab->peers, list) { > - ath11k_peer_rx_tid_cleanup(ar, peer); > + ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr); peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. Instead its freed in ath11k_dp_peer_cleanup(). can you refactor allocation/deallocation symmetric funcs ?
On 8/27/2024 5:33 PM, Karthikeyan Periyasamy wrote: > On 8/26/2024 7:19 AM, Baochen Qiang wrote: ... >> @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar) >> mutex_lock(&ab->tbl_mtx_lock); >> spin_lock_bh(&ab->base_lock); >> list_for_each_entry_safe(peer, tmp, &ab->peers, list) { >> - ath11k_peer_rx_tid_cleanup(ar, peer); >> + ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr); > > peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not > cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. > Instead its freed in ath11k_dp_peer_cleanup(). can you refactor > allocation/deallocation symmetric funcs ? There was no action on this review comment. Do you plan on submitting a v2? /jeff
On 1/11/2025 3:15 AM, Jeff Johnson wrote: > On 8/27/2024 5:33 PM, Karthikeyan Periyasamy wrote: >> On 8/26/2024 7:19 AM, Baochen Qiang wrote: > ... >>> @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar) >>> mutex_lock(&ab->tbl_mtx_lock); >>> spin_lock_bh(&ab->base_lock); >>> list_for_each_entry_safe(peer, tmp, &ab->peers, list) { >>> - ath11k_peer_rx_tid_cleanup(ar, peer); >>> + ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr); >> >> peer->tfm_mmic is allocated in ath11k_peer_rx_frag_setup() but its not >> cleanup in ath11k_dp_rx_frags_cleanup(), which is not symmetric now. >> Instead its freed in ath11k_dp_peer_cleanup(). can you refactor >> allocation/deallocation symmetric funcs ? > > There was no action on this review comment. > > Do you plan on submitting a v2? sorry for not manage to respond timely. Regarding this comment, my impression is that peer->tfm_mmic is not the only filed being non-symmetric, and it is not easy to refactor it to achieve symmetry. So my plan is to leave the patch as is, and a separate patch could be cooked in the future if we want to do refactor. > > /jeff >
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c index f1dff26bc237..f21d37cefb65 100644 --- a/drivers/net/wireless/ath/ath11k/mac.c +++ b/drivers/net/wireless/ath/ath11k/mac.c @@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar) mutex_lock(&ab->tbl_mtx_lock); spin_lock_bh(&ab->base_lock); list_for_each_entry_safe(peer, tmp, &ab->peers, list) { - ath11k_peer_rx_tid_cleanup(ar, peer); + ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr); ath11k_peer_rhash_delete(ab, peer); list_del(&peer->list); kfree(peer);
Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(), when the corresponding station transit from NONE to NOTEXIST state within ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for it to go through such transition. Further, during reset, we call ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic: Kmemleak reports: unreferenced object 0xffff9a3ca7828d00 (size 64): backtrace (crc 4a016586): __kmalloc_node_noprof+0x38f/0x480 crypto_alloc_tfmmem.isra.0+0x2e/0x60 crypto_create_tfm_node+0x29/0xe0 crypto_alloc_tfm_node+0x5d/0x130 ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k] ath11k_dp_peer_setup+0x82/0x160 [ath11k] ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k] drv_sta_state+0x11e/0x9c0 [mac80211] sta_info_insert_rcu+0x469/0x880 [mac80211] sta_info_insert+0x10/0x80 [mac80211] ieee80211_prep_connection+0x295/0x950 [mac80211] ieee80211_mgd_auth+0x230/0x5a0 [mac80211] cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211] In order to fix it we need to call crypto_free_shash() as well in ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is also called there, we can simply replace it with ath11k_dp_peer_cleanup(). Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> --- drivers/net/wireless/ath/ath11k/mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)