[PATCH wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment()

[PATCH wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment()

[Lorenzo Bianconi]

Fix a memory leak in mt76_add_fragment routine returning the buffer
to the page_frag_cache when we receive a new fragment and the
skb_shared_info frag array is full.

Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/dma.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index 73eeb00d5aa6..e81dfaf99bcb 100644
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -509,15 +509,17 @@ static void
 mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
 		  int len, bool more)
 {
-	struct page *page = virt_to_head_page(data);
-	int offset = data - page_address(page);
 	struct sk_buff *skb = q->rx_head;
 	struct skb_shared_info *shinfo = skb_shinfo(skb);
 
 	if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
-		offset += q->buf_offset;
+		struct page *page = virt_to_head_page(data);
+		int offset = data - page_address(page) + q->buf_offset;
+
 		skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
 				q->buf_size);
+	} else {
+		skb_free_frag(data);
 	}
 
 	if (more)
-- 
2.29.2

Re: [PATCH wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment()

[Kalle Valo]

Lorenzo Bianconi <lorenzo@kernel.org> wrote:

> Fix a memory leak in mt76_add_fragment routine returning the buffer
> to the page_frag_cache when we receive a new fragment and the
> skb_shared_info frag array is full.
> 
> Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>

I assigned this to me on patchwork and queued for v5.11. Felix, can you ack?

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Re: [PATCH wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment()

[Felix Fietkau]

On 2021-01-26 12:02, Lorenzo Bianconi wrote:
> Fix a memory leak in mt76_add_fragment routine returning the buffer
> to the page_frag_cache when we receive a new fragment and the
> skb_shared_info frag array is full.
> 
> Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Acked-by: Felix Fietkau <nbd@nbd.name>

Thanks,

- Felix

Re: [PATCH wireless-drivers] mt76: dma: fix a possible memory leak in mt76_add_fragment()

[Kalle Valo]

Lorenzo Bianconi <lorenzo@kernel.org> wrote:

> Fix a memory leak in mt76_add_fragment routine returning the buffer
> to the page_frag_cache when we receive a new fragment and the
> skb_shared_info frag array is full.
> 
> Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> Acked-by: Felix Fietkau <nbd@nbd.name>

Patch applied to wireless-drivers.git, thanks.

93a1d4791c10 mt76: dma: fix a possible memory leak in mt76_add_fragment()

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches