aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2010-07-07 13:42:09 -0400
committerJohn W. Linville <linville@tuxdriver.com>2010-07-07 15:48:19 -0400
commit73e194639d90594d06d0c10019c0ab4638869135 (patch)
treee4fd234aa10e0b423431568793f30418680de73c /drivers/net
parent2b40994cabd2f545d5c11d3a65dcee6f6f9155f8 (diff)
ath9k: fix a buffer leak in A-MPDU completion
When ath_tx_complete_aggr() is called, it's responsible for returning all buffers in the linked list. This was not done when the STA lookup failed, leading to a race condition that could leak a few buffers when a STA just disconnected. Fix this by immediately returning all buffers to the free list in this case. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net')
-rw-r--r--drivers/net/wireless/ath/ath9k/xmit.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index 408d1c596a03..05ec36ac55f5 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -329,6 +329,7 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
329 int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0; 329 int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0;
330 bool rc_update = true; 330 bool rc_update = true;
331 struct ieee80211_tx_rate rates[4]; 331 struct ieee80211_tx_rate rates[4];
332 unsigned long flags;
332 333
333 skb = bf->bf_mpdu; 334 skb = bf->bf_mpdu;
334 hdr = (struct ieee80211_hdr *)skb->data; 335 hdr = (struct ieee80211_hdr *)skb->data;
@@ -344,6 +345,10 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq,
344 sta = ieee80211_find_sta_by_hw(hw, hdr->addr1); 345 sta = ieee80211_find_sta_by_hw(hw, hdr->addr1);
345 if (!sta) { 346 if (!sta) {
346 rcu_read_unlock(); 347 rcu_read_unlock();
348
349 spin_lock_irqsave(&sc->tx.txbuflock, flags);
350 list_splice_tail_init(bf_q, &sc->tx.txbuf);
351 spin_unlock_irqrestore(&sc->tx.txbuflock, flags);
347 return; 352 return;
348 } 353 }
349 354