From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zhi Chen <zhichen@codeaurora.org>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.20 242/304] ath10k: fix tx_stats memory leak
Date: Mon, 28 Jan 2019 10:42:39 -0500 [thread overview]
Message-ID: <20190128154341.47195-242-sashal@kernel.org> (raw)
In-Reply-To: <20190128154341.47195-1-sashal@kernel.org>
From: Zhi Chen <zhichen@codeaurora.org>
[ Upstream commit 386f97e3b201d18578abb0e7037b85a1ae50c0a3 ]
Memory of tx_stats was allocated when a STA was added. But it's not freed
if the STA failed to be added to driver. This issue could be seen in MDK3
attack case when STA number reached the limit.
Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/mac.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 6436dc229be5..400495858e4e 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -6293,15 +6293,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
ar->num_stations + 1, ar->max_num_stations,
ar->num_peers + 1, ar->max_num_peers);
- if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
- arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
- GFP_KERNEL);
- if (!arsta->tx_stats) {
- ret = -ENOMEM;
- goto exit;
- }
- }
-
num_tdls_stations = ath10k_mac_tdls_vif_stations_count(hw, vif);
num_tdls_vifs = ath10k_mac_tdls_vifs_count(hw);
@@ -6323,12 +6314,22 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
goto exit;
}
+ if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
+ arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
+ GFP_KERNEL);
+ if (!arsta->tx_stats) {
+ ret = -ENOMEM;
+ goto exit;
+ }
+ }
+
ret = ath10k_peer_create(ar, vif, sta, arvif->vdev_id,
sta->addr, peer_type);
if (ret) {
ath10k_warn(ar, "failed to add peer %pM for vdev %d when adding a new sta: %i\n",
sta->addr, arvif->vdev_id, ret);
ath10k_mac_dec_num_stations(arvif, sta);
+ kfree(arsta->tx_stats);
goto exit;
}
@@ -6341,6 +6342,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
spin_unlock_bh(&ar->data_lock);
ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
ath10k_mac_dec_num_stations(arvif, sta);
+ kfree(arsta->tx_stats);
ret = -ENOENT;
goto exit;
}
@@ -6361,6 +6363,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
ath10k_peer_delete(ar, arvif->vdev_id,
sta->addr);
ath10k_mac_dec_num_stations(arvif, sta);
+ kfree(arsta->tx_stats);
goto exit;
}
@@ -6372,6 +6375,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
sta->addr, arvif->vdev_id, ret);
ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
ath10k_mac_dec_num_stations(arvif, sta);
+ kfree(arsta->tx_stats);
if (num_tdls_stations != 0)
goto exit;
--
2.19.1
prev parent reply other threads:[~2019-01-28 17:34 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190128154341.47195-1-sashal@kernel.org>
2019-01-28 15:38 ` [PATCH AUTOSEL 4.20 015/304] wil6210: fix reset flow for Talyn-mb Sasha Levin
2019-01-28 15:38 ` [PATCH AUTOSEL 4.20 016/304] wil6210: fix memory leak in wil_find_tx_bcast_2 Sasha Levin
2019-01-28 15:38 ` [PATCH AUTOSEL 4.20 017/304] ath10k: assign 'n_cipher_suites' for WCN3990 Sasha Levin
2019-01-28 15:38 ` [PATCH AUTOSEL 4.20 018/304] ath9k: dynack: use authentication messages for 'late' ack Sasha Levin
2019-01-28 15:39 ` [PATCH AUTOSEL 4.20 041/304] iwlwifi: fw: do not set sgi bits for HE connection Sasha Levin
2019-01-28 15:40 ` [PATCH AUTOSEL 4.20 104/304] mt76x0: dfs: fix IBI_R11 configuration on non-radar channels Sasha Levin
2019-01-28 15:40 ` [PATCH AUTOSEL 4.20 105/304] mt76x0: use band parameter for LC calibration Sasha Levin
2019-01-28 15:40 ` [PATCH AUTOSEL 4.20 127/304] mac80211: fix deauth TX when we disconnect Sasha Levin
2019-01-28 15:42 ` [PATCH AUTOSEL 4.20 207/304] mac80211: Properly handle SKB with radiotap only Sasha Levin
2019-01-28 15:42 ` [PATCH AUTOSEL 4.20 223/304] mac80211: fix radiotap vendor presence bitmap handling Sasha Levin
2019-01-28 15:42 ` [PATCH AUTOSEL 4.20 229/304] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Sasha Levin
2019-01-28 15:42 ` [PATCH AUTOSEL 4.20 234/304] iwlwifi: mvm: fix setting HE ppe FW config Sasha Levin
2019-01-28 15:42 ` [PATCH AUTOSEL 4.20 241/304] ath10k: fix kernel panic due to use after free Sasha Levin
2019-01-28 15:42 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190128154341.47195-242-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath10k@lists.infradead.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhichen@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).