diff options
author | Felix Fietkau <nbd@openwrt.org> | 2012-10-08 08:39:33 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2012-10-08 15:06:05 -0400 |
commit | c3e7724b6bc2f25e46c38dbe68f09d71fafeafb8 (patch) | |
tree | c53c47afd35c31d170f0c9f339178e549883c9c1 /net/mac80211 | |
parent | 5bcbc3fcbd88842765aa419934602d3930c6ed3c (diff) |
mac80211: use ieee80211_free_txskb to fix possible skb leaks
A few places free skbs using dev_kfree_skb even though they're called
after ieee80211_subif_start_xmit might have cloned it for tracking tx
status. Use ieee80211_free_txskb here to prevent skb leaks.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r-- | net/mac80211/status.c | 4 | ||||
-rw-r--r-- | net/mac80211/tx.c | 22 |
2 files changed, 14 insertions, 12 deletions
diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 2ce89732d0f2..3af0cc4130f1 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c | |||
@@ -34,7 +34,7 @@ void ieee80211_tx_status_irqsafe(struct ieee80211_hw *hw, | |||
34 | skb_queue_len(&local->skb_queue_unreliable); | 34 | skb_queue_len(&local->skb_queue_unreliable); |
35 | while (tmp > IEEE80211_IRQSAFE_QUEUE_LIMIT && | 35 | while (tmp > IEEE80211_IRQSAFE_QUEUE_LIMIT && |
36 | (skb = skb_dequeue(&local->skb_queue_unreliable))) { | 36 | (skb = skb_dequeue(&local->skb_queue_unreliable))) { |
37 | dev_kfree_skb_irq(skb); | 37 | ieee80211_free_txskb(hw, skb); |
38 | tmp--; | 38 | tmp--; |
39 | I802_DEBUG_INC(local->tx_status_drop); | 39 | I802_DEBUG_INC(local->tx_status_drop); |
40 | } | 40 | } |
@@ -159,7 +159,7 @@ static void ieee80211_handle_filtered_frame(struct ieee80211_local *local, | |||
159 | "dropped TX filtered frame, queue_len=%d PS=%d @%lu\n", | 159 | "dropped TX filtered frame, queue_len=%d PS=%d @%lu\n", |
160 | skb_queue_len(&sta->tx_filtered[ac]), | 160 | skb_queue_len(&sta->tx_filtered[ac]), |
161 | !!test_sta_flag(sta, WLAN_STA_PS_STA), jiffies); | 161 | !!test_sta_flag(sta, WLAN_STA_PS_STA), jiffies); |
162 | dev_kfree_skb(skb); | 162 | ieee80211_free_txskb(&local->hw, skb); |
163 | } | 163 | } |
164 | 164 | ||
165 | static void ieee80211_check_pending_bar(struct sta_info *sta, u8 *addr, u8 tid) | 165 | static void ieee80211_check_pending_bar(struct sta_info *sta, u8 *addr, u8 tid) |
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index e0e0d1d0e830..c9bf83f36657 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c | |||
@@ -354,7 +354,7 @@ static void purge_old_ps_buffers(struct ieee80211_local *local) | |||
354 | total += skb_queue_len(&sta->ps_tx_buf[ac]); | 354 | total += skb_queue_len(&sta->ps_tx_buf[ac]); |
355 | if (skb) { | 355 | if (skb) { |
356 | purged++; | 356 | purged++; |
357 | dev_kfree_skb(skb); | 357 | ieee80211_free_txskb(&local->hw, skb); |
358 | break; | 358 | break; |
359 | } | 359 | } |
360 | } | 360 | } |
@@ -466,7 +466,7 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx) | |||
466 | ps_dbg(tx->sdata, | 466 | ps_dbg(tx->sdata, |
467 | "STA %pM TX buffer for AC %d full - dropping oldest frame\n", | 467 | "STA %pM TX buffer for AC %d full - dropping oldest frame\n", |
468 | sta->sta.addr, ac); | 468 | sta->sta.addr, ac); |
469 | dev_kfree_skb(old); | 469 | ieee80211_free_txskb(&local->hw, old); |
470 | } else | 470 | } else |
471 | tx->local->total_ps_buffered++; | 471 | tx->local->total_ps_buffered++; |
472 | 472 | ||
@@ -1103,7 +1103,7 @@ static bool ieee80211_tx_prep_agg(struct ieee80211_tx_data *tx, | |||
1103 | spin_unlock(&tx->sta->lock); | 1103 | spin_unlock(&tx->sta->lock); |
1104 | 1104 | ||
1105 | if (purge_skb) | 1105 | if (purge_skb) |
1106 | dev_kfree_skb(purge_skb); | 1106 | ieee80211_free_txskb(&tx->local->hw, purge_skb); |
1107 | } | 1107 | } |
1108 | 1108 | ||
1109 | /* reset session timer */ | 1109 | /* reset session timer */ |
@@ -1214,7 +1214,7 @@ static bool ieee80211_tx_frags(struct ieee80211_local *local, | |||
1214 | #ifdef CONFIG_MAC80211_VERBOSE_DEBUG | 1214 | #ifdef CONFIG_MAC80211_VERBOSE_DEBUG |
1215 | if (WARN_ON_ONCE(q >= local->hw.queues)) { | 1215 | if (WARN_ON_ONCE(q >= local->hw.queues)) { |
1216 | __skb_unlink(skb, skbs); | 1216 | __skb_unlink(skb, skbs); |
1217 | dev_kfree_skb(skb); | 1217 | ieee80211_free_txskb(&local->hw, skb); |
1218 | continue; | 1218 | continue; |
1219 | } | 1219 | } |
1220 | #endif | 1220 | #endif |
@@ -1356,7 +1356,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx) | |||
1356 | if (unlikely(res == TX_DROP)) { | 1356 | if (unlikely(res == TX_DROP)) { |
1357 | I802_DEBUG_INC(tx->local->tx_handlers_drop); | 1357 | I802_DEBUG_INC(tx->local->tx_handlers_drop); |
1358 | if (tx->skb) | 1358 | if (tx->skb) |
1359 | dev_kfree_skb(tx->skb); | 1359 | ieee80211_free_txskb(&tx->local->hw, tx->skb); |
1360 | else | 1360 | else |
1361 | __skb_queue_purge(&tx->skbs); | 1361 | __skb_queue_purge(&tx->skbs); |
1362 | return -1; | 1362 | return -1; |
@@ -1393,7 +1393,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata, | |||
1393 | res_prepare = ieee80211_tx_prepare(sdata, &tx, skb); | 1393 | res_prepare = ieee80211_tx_prepare(sdata, &tx, skb); |
1394 | 1394 | ||
1395 | if (unlikely(res_prepare == TX_DROP)) { | 1395 | if (unlikely(res_prepare == TX_DROP)) { |
1396 | dev_kfree_skb(skb); | 1396 | ieee80211_free_txskb(&local->hw, skb); |
1397 | goto out; | 1397 | goto out; |
1398 | } else if (unlikely(res_prepare == TX_QUEUED)) { | 1398 | } else if (unlikely(res_prepare == TX_QUEUED)) { |
1399 | goto out; | 1399 | goto out; |
@@ -1465,7 +1465,7 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb) | |||
1465 | headroom = max_t(int, 0, headroom); | 1465 | headroom = max_t(int, 0, headroom); |
1466 | 1466 | ||
1467 | if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { | 1467 | if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { |
1468 | dev_kfree_skb(skb); | 1468 | ieee80211_free_txskb(&local->hw, skb); |
1469 | rcu_read_unlock(); | 1469 | rcu_read_unlock(); |
1470 | return; | 1470 | return; |
1471 | } | 1471 | } |
@@ -2050,8 +2050,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, | |||
2050 | head_need += IEEE80211_ENCRYPT_HEADROOM; | 2050 | head_need += IEEE80211_ENCRYPT_HEADROOM; |
2051 | head_need += local->tx_headroom; | 2051 | head_need += local->tx_headroom; |
2052 | head_need = max_t(int, 0, head_need); | 2052 | head_need = max_t(int, 0, head_need); |
2053 | if (ieee80211_skb_resize(sdata, skb, head_need, true)) | 2053 | if (ieee80211_skb_resize(sdata, skb, head_need, true)) { |
2054 | goto fail; | 2054 | ieee80211_free_txskb(&local->hw, skb); |
2055 | return NETDEV_TX_OK; | ||
2056 | } | ||
2055 | } | 2057 | } |
2056 | 2058 | ||
2057 | if (encaps_data) { | 2059 | if (encaps_data) { |
@@ -2184,7 +2186,7 @@ void ieee80211_tx_pending(unsigned long data) | |||
2184 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); | 2186 | struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); |
2185 | 2187 | ||
2186 | if (WARN_ON(!info->control.vif)) { | 2188 | if (WARN_ON(!info->control.vif)) { |
2187 | kfree_skb(skb); | 2189 | ieee80211_free_txskb(&local->hw, skb); |
2188 | continue; | 2190 | continue; |
2189 | } | 2191 | } |
2190 | 2192 | ||