From: Vasanthakumar Thiagarajan Date: Tue, 14 Aug 2012 04:40:34 +0000 (+0530) Subject: ath6kl: Fix potential memory leak in ath6kl_tx_complete() X-Git-Tag: firefly_0821_release~3680^2~1480^2~17^2~198^2~31 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=8114f9b6d28686de02c3f83f0543665728b1a15b;p=firefly-linux-kernel-4.4.55.git ath6kl: Fix potential memory leak in ath6kl_tx_complete() We bail out from ath6kl_tx_complete() if any of the sanity checks on skb and ath6kl_cookie fails. By doing this we potentially leak few remaining buffers in packet_queue. Make sure to proceed processing the remaining buffers as well. This issue is found during code review. Reported-by: Wang yufeng Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: Kalle Valo --- diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c index aab825152b19..740a488ef504 100644 --- a/drivers/net/wireless/ath/ath6kl/txrx.c +++ b/drivers/net/wireless/ath/ath6kl/txrx.c @@ -698,21 +698,26 @@ void ath6kl_tx_complete(struct htc_target *target, list_del(&packet->list); ath6kl_cookie = (struct ath6kl_cookie *)packet->pkt_cntxt; - if (!ath6kl_cookie) - goto fatal; + if (WARN_ON_ONCE(!ath6kl_cookie)) + continue; status = packet->status; skb = ath6kl_cookie->skb; eid = packet->endpoint; map_no = ath6kl_cookie->map_no; - if (!skb || !skb->data) - goto fatal; + if (WARN_ON_ONCE(!skb || !skb->data)) { + dev_kfree_skb(skb); + ath6kl_free_cookie(ar, ath6kl_cookie); + continue; + } __skb_queue_tail(&skb_queue, skb); - if (!status && (packet->act_len != skb->len)) - goto fatal; + if (WARN_ON_ONCE(!status && (packet->act_len != skb->len))) { + ath6kl_free_cookie(ar, ath6kl_cookie); + continue; + } ar->tx_pending[eid]--; @@ -794,11 +799,6 @@ void ath6kl_tx_complete(struct htc_target *target, wake_up(&ar->event_wq); return; - -fatal: - WARN_ON(1); - spin_unlock_bh(&ar->lock); - return; } void ath6kl_tx_data_cleanup(struct ath6kl *ar)