aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2012-10-08 08:39:33 -0400
committerJohn W. Linville <linville@tuxdriver.com>2012-10-08 15:06:05 -0400
commitc3e7724b6bc2f25e46c38dbe68f09d71fafeafb8 (patch)
treec53c47afd35c31d170f0c9f339178e549883c9c1 /net/mac80211
parent5bcbc3fcbd88842765aa419934602d3930c6ed3c (diff)
mac80211: use ieee80211_free_txskb to fix possible skb leaks
A few places free skbs using dev_kfree_skb even though they're called after ieee80211_subif_start_xmit might have cloned it for tracking tx status. Use ieee80211_free_txskb here to prevent skb leaks. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/status.c4
-rw-r--r--net/mac80211/tx.c22
2 files changed, 14 insertions, 12 deletions
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 2ce89732d0f2..3af0cc4130f1 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -34,7 +34,7 @@ void ieee80211_tx_status_irqsafe(struct ieee80211_hw *hw,
34 skb_queue_len(&local->skb_queue_unreliable); 34 skb_queue_len(&local->skb_queue_unreliable);
35 while (tmp > IEEE80211_IRQSAFE_QUEUE_LIMIT && 35 while (tmp > IEEE80211_IRQSAFE_QUEUE_LIMIT &&
36 (skb = skb_dequeue(&local->skb_queue_unreliable))) { 36 (skb = skb_dequeue(&local->skb_queue_unreliable))) {
37 dev_kfree_skb_irq(skb); 37 ieee80211_free_txskb(hw, skb);
38 tmp--; 38 tmp--;
39 I802_DEBUG_INC(local->tx_status_drop); 39 I802_DEBUG_INC(local->tx_status_drop);
40 } 40 }
@@ -159,7 +159,7 @@ static void ieee80211_handle_filtered_frame(struct ieee80211_local *local,
159 "dropped TX filtered frame, queue_len=%d PS=%d @%lu\n", 159 "dropped TX filtered frame, queue_len=%d PS=%d @%lu\n",
160 skb_queue_len(&sta->tx_filtered[ac]), 160 skb_queue_len(&sta->tx_filtered[ac]),
161 !!test_sta_flag(sta, WLAN_STA_PS_STA), jiffies); 161 !!test_sta_flag(sta, WLAN_STA_PS_STA), jiffies);
162 dev_kfree_skb(skb); 162 ieee80211_free_txskb(&local->hw, skb);
163} 163}
164 164
165static void ieee80211_check_pending_bar(struct sta_info *sta, u8 *addr, u8 tid) 165static void ieee80211_check_pending_bar(struct sta_info *sta, u8 *addr, u8 tid)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index e0e0d1d0e830..c9bf83f36657 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -354,7 +354,7 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
354 total += skb_queue_len(&sta->ps_tx_buf[ac]); 354 total += skb_queue_len(&sta->ps_tx_buf[ac]);
355 if (skb) { 355 if (skb) {
356 purged++; 356 purged++;
357 dev_kfree_skb(skb); 357 ieee80211_free_txskb(&local->hw, skb);
358 break; 358 break;
359 } 359 }
360 } 360 }
@@ -466,7 +466,7 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
466 ps_dbg(tx->sdata, 466 ps_dbg(tx->sdata,
467 "STA %pM TX buffer for AC %d full - dropping oldest frame\n", 467 "STA %pM TX buffer for AC %d full - dropping oldest frame\n",
468 sta->sta.addr, ac); 468 sta->sta.addr, ac);
469 dev_kfree_skb(old); 469 ieee80211_free_txskb(&local->hw, old);
470 } else 470 } else
471 tx->local->total_ps_buffered++; 471 tx->local->total_ps_buffered++;
472 472
@@ -1103,7 +1103,7 @@ static bool ieee80211_tx_prep_agg(struct ieee80211_tx_data *tx,
1103 spin_unlock(&tx->sta->lock); 1103 spin_unlock(&tx->sta->lock);
1104 1104
1105 if (purge_skb) 1105 if (purge_skb)
1106 dev_kfree_skb(purge_skb); 1106 ieee80211_free_txskb(&tx->local->hw, purge_skb);
1107 } 1107 }
1108 1108
1109 /* reset session timer */ 1109 /* reset session timer */
@@ -1214,7 +1214,7 @@ static bool ieee80211_tx_frags(struct ieee80211_local *local,
1214#ifdef CONFIG_MAC80211_VERBOSE_DEBUG 1214#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
1215 if (WARN_ON_ONCE(q >= local->hw.queues)) { 1215 if (WARN_ON_ONCE(q >= local->hw.queues)) {
1216 __skb_unlink(skb, skbs); 1216 __skb_unlink(skb, skbs);
1217 dev_kfree_skb(skb); 1217 ieee80211_free_txskb(&local->hw, skb);
1218 continue; 1218 continue;
1219 } 1219 }
1220#endif 1220#endif
@@ -1356,7 +1356,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
1356 if (unlikely(res == TX_DROP)) { 1356 if (unlikely(res == TX_DROP)) {
1357 I802_DEBUG_INC(tx->local->tx_handlers_drop); 1357 I802_DEBUG_INC(tx->local->tx_handlers_drop);
1358 if (tx->skb) 1358 if (tx->skb)
1359 dev_kfree_skb(tx->skb); 1359 ieee80211_free_txskb(&tx->local->hw, tx->skb);
1360 else 1360 else
1361 __skb_queue_purge(&tx->skbs); 1361 __skb_queue_purge(&tx->skbs);
1362 return -1; 1362 return -1;
@@ -1393,7 +1393,7 @@ static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
1393 res_prepare = ieee80211_tx_prepare(sdata, &tx, skb); 1393 res_prepare = ieee80211_tx_prepare(sdata, &tx, skb);
1394 1394
1395 if (unlikely(res_prepare == TX_DROP)) { 1395 if (unlikely(res_prepare == TX_DROP)) {
1396 dev_kfree_skb(skb); 1396 ieee80211_free_txskb(&local->hw, skb);
1397 goto out; 1397 goto out;
1398 } else if (unlikely(res_prepare == TX_QUEUED)) { 1398 } else if (unlikely(res_prepare == TX_QUEUED)) {
1399 goto out; 1399 goto out;
@@ -1465,7 +1465,7 @@ void ieee80211_xmit(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
1465 headroom = max_t(int, 0, headroom); 1465 headroom = max_t(int, 0, headroom);
1466 1466
1467 if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) { 1467 if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
1468 dev_kfree_skb(skb); 1468 ieee80211_free_txskb(&local->hw, skb);
1469 rcu_read_unlock(); 1469 rcu_read_unlock();
1470 return; 1470 return;
1471 } 1471 }
@@ -2050,8 +2050,10 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
2050 head_need += IEEE80211_ENCRYPT_HEADROOM; 2050 head_need += IEEE80211_ENCRYPT_HEADROOM;
2051 head_need += local->tx_headroom; 2051 head_need += local->tx_headroom;
2052 head_need = max_t(int, 0, head_need); 2052 head_need = max_t(int, 0, head_need);
2053 if (ieee80211_skb_resize(sdata, skb, head_need, true)) 2053 if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
2054 goto fail; 2054 ieee80211_free_txskb(&local->hw, skb);
2055 return NETDEV_TX_OK;
2056 }
2055 } 2057 }
2056 2058
2057 if (encaps_data) { 2059 if (encaps_data) {
@@ -2184,7 +2186,7 @@ void ieee80211_tx_pending(unsigned long data)
2184 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 2186 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
2185 2187
2186 if (WARN_ON(!info->control.vif)) { 2188 if (WARN_ON(!info->control.vif)) {
2187 kfree_skb(skb); 2189 ieee80211_free_txskb(&local->hw, skb);
2188 continue; 2190 continue;
2189 } 2191 }
2190 2192