Commit 8114f9b6 authored by Vasanthakumar Thiagarajan's avatar Vasanthakumar Thiagarajan Committed by Kalle Valo

ath6kl: Fix potential memory leak in ath6kl_tx_complete()

We bail out from ath6kl_tx_complete() if any of the sanity
checks on skb and ath6kl_cookie fails. By doing this we
potentially leak few remaining buffers in packet_queue.
Make sure to proceed processing the remaining buffers
as well. This issue is found during code review.
Reported-by: default avatarWang yufeng <yufengw@qca.qualcomm.com>
Signed-off-by: default avatarVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent 0616dc1f
...@@ -698,21 +698,26 @@ void ath6kl_tx_complete(struct htc_target *target, ...@@ -698,21 +698,26 @@ void ath6kl_tx_complete(struct htc_target *target,
list_del(&packet->list); list_del(&packet->list);
ath6kl_cookie = (struct ath6kl_cookie *)packet->pkt_cntxt; ath6kl_cookie = (struct ath6kl_cookie *)packet->pkt_cntxt;
if (!ath6kl_cookie) if (WARN_ON_ONCE(!ath6kl_cookie))
goto fatal; continue;
status = packet->status; status = packet->status;
skb = ath6kl_cookie->skb; skb = ath6kl_cookie->skb;
eid = packet->endpoint; eid = packet->endpoint;
map_no = ath6kl_cookie->map_no; map_no = ath6kl_cookie->map_no;
if (!skb || !skb->data) if (WARN_ON_ONCE(!skb || !skb->data)) {
goto fatal; dev_kfree_skb(skb);
ath6kl_free_cookie(ar, ath6kl_cookie);
continue;
}
__skb_queue_tail(&skb_queue, skb); __skb_queue_tail(&skb_queue, skb);
if (!status && (packet->act_len != skb->len)) if (WARN_ON_ONCE(!status && (packet->act_len != skb->len))) {
goto fatal; ath6kl_free_cookie(ar, ath6kl_cookie);
continue;
}
ar->tx_pending[eid]--; ar->tx_pending[eid]--;
...@@ -794,11 +799,6 @@ void ath6kl_tx_complete(struct htc_target *target, ...@@ -794,11 +799,6 @@ void ath6kl_tx_complete(struct htc_target *target,
wake_up(&ar->event_wq); wake_up(&ar->event_wq);
return; return;
fatal:
WARN_ON(1);
spin_unlock_bh(&ar->lock);
return;
} }
void ath6kl_tx_data_cleanup(struct ath6kl *ar) void ath6kl_tx_data_cleanup(struct ath6kl *ar)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment