Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8114f9b6 authored by Vasanthakumar Thiagarajan's avatar Vasanthakumar Thiagarajan Committed by Kalle Valo
Browse files

ath6kl: Fix potential memory leak in ath6kl_tx_complete() 



We bail out from ath6kl_tx_complete() if any of the sanity
checks on skb and ath6kl_cookie fails. By doing this we
potentially leak few remaining buffers in packet_queue.
Make sure to proceed processing the remaining buffers
as well. This issue is found during code review.

Reported-by: default avatarWang yufeng <yufengw@qca.qualcomm.com>
Signed-off-by: default avatarVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 0616dc1f

drivers/net/wireless/ath/ath6kl/txrx.c

+11 −11
Original line number Diff line number Diff line
@@ -698,21 +698,26 @@ void ath6kl_tx_complete(struct htc_target *target, 
		list_del(&packet->list);



		ath6kl_cookie = (struct ath6kl_cookie *)packet->pkt_cntxt;

		if (!ath6kl_cookie)

			goto fatal;

		if (WARN_ON_ONCE(!ath6kl_cookie))

			continue;



		status = packet->status;

		skb = ath6kl_cookie->skb;

		eid = packet->endpoint;

		map_no = ath6kl_cookie->map_no;



		if (!skb || !skb->data)

			goto fatal;

		if (WARN_ON_ONCE(!skb || !skb->data)) {

			dev_kfree_skb(skb);

			ath6kl_free_cookie(ar, ath6kl_cookie);

			continue;

		}



		__skb_queue_tail(&skb_queue, skb);



		if (!status && (packet->act_len != skb->len))

			goto fatal;

		if (WARN_ON_ONCE(!status && (packet->act_len != skb->len))) {

			ath6kl_free_cookie(ar, ath6kl_cookie);

			continue;

		}



		ar->tx_pending[eid]--;
@@ -794,11 +799,6 @@ void ath6kl_tx_complete(struct htc_target *target, 
		wake_up(&ar->event_wq);



	return;



fatal:

	WARN_ON(1);

	spin_unlock_bh(&ar->lock);

	return;

}



void ath6kl_tx_data_cleanup(struct ath6kl *ar)