Skip to content

Commit 386f97e

Browse files
Zhi ChenKalle Valo
Zhi Chen
authored and
Kalle Valo
committed
ath10k: fix tx_stats memory leak
Memory of tx_stats was allocated when a STA was added. But it's not freed if the STA failed to be added to driver. This issue could be seen in MDK3 attack case when STA number reached the limit. Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005 Signed-off-by: Zhi Chen <[email protected]> Signed-off-by: Kalle Valo <[email protected]>
1 parent 2d3b558 commit 386f97e

File tree

1 file changed

+13
-9
lines changed
  • drivers/net/wireless/ath/ath10k

1 file changed

+13
-9
lines changed

drivers/net/wireless/ath/ath10k/mac.c

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -6279,15 +6279,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
62796279
ar->num_stations + 1, ar->max_num_stations,
62806280
ar->num_peers + 1, ar->max_num_peers);
62816281

6282-
if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
6283-
arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
6284-
GFP_KERNEL);
6285-
if (!arsta->tx_stats) {
6286-
ret = -ENOMEM;
6287-
goto exit;
6288-
}
6289-
}
6290-
62916282
num_tdls_stations = ath10k_mac_tdls_vif_stations_count(hw, vif);
62926283

62936284
if (sta->tdls) {
@@ -6308,12 +6299,22 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
63086299
goto exit;
63096300
}
63106301

6302+
if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
6303+
arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
6304+
GFP_KERNEL);
6305+
if (!arsta->tx_stats) {
6306+
ret = -ENOMEM;
6307+
goto exit;
6308+
}
6309+
}
6310+
63116311
ret = ath10k_peer_create(ar, vif, sta, arvif->vdev_id,
63126312
sta->addr, peer_type);
63136313
if (ret) {
63146314
ath10k_warn(ar, "failed to add peer %pM for vdev %d when adding a new sta: %i\n",
63156315
sta->addr, arvif->vdev_id, ret);
63166316
ath10k_mac_dec_num_stations(arvif, sta);
6317+
kfree(arsta->tx_stats);
63176318
goto exit;
63186319
}
63196320

@@ -6326,6 +6327,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
63266327
spin_unlock_bh(&ar->data_lock);
63276328
ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
63286329
ath10k_mac_dec_num_stations(arvif, sta);
6330+
kfree(arsta->tx_stats);
63296331
ret = -ENOENT;
63306332
goto exit;
63316333
}
@@ -6346,6 +6348,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
63466348
ath10k_peer_delete(ar, arvif->vdev_id,
63476349
sta->addr);
63486350
ath10k_mac_dec_num_stations(arvif, sta);
6351+
kfree(arsta->tx_stats);
63496352
goto exit;
63506353
}
63516354

@@ -6357,6 +6360,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
63576360
sta->addr, arvif->vdev_id, ret);
63586361
ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
63596362
ath10k_mac_dec_num_stations(arvif, sta);
6363+
kfree(arsta->tx_stats);
63606364

63616365
if (num_tdls_stations != 0)
63626366
goto exit;

0 commit comments

Comments
 (0)