Patchwork ath9k: fix a memory leak in ath_rx_tasklet()

login
register
mail settings
Submitter Eric Dumazet
Date March 15, 2012, 8:43 p.m.
Message ID <1331844209.19406.11.camel@edumazet-glaptop>
Download mbox | patch
Permalink /patch/147070/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Eric Dumazet - March 15, 2012, 8:43 p.m.
commit 0d95521ea7 (ath9k: use split rx buffers to get rid of order-1 skb
allocations) added in memory leak in error path.

sc->rx.frag should be cleared after the pskb_expand_head() call, or else
we jump to requeue_drop_frag and leak an skb.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jouni Malinen <jouni@qca.qualcomm.com>
Cc: Felix Fietkau <nbd@openwrt.org>
Cc: John W. Linville <linville@tuxdriver.com>
Cc: Trond Wuellner <trond@chromium.org>
Cc: Grant Grundler <grundler@chromium.org>
Cc: Paul Stewart <pstew@chromium.org>
Cc: David Miller <davem@davemloft.net>
---
 drivers/net/wireless/ath/ath9k/recv.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
John W. Linville - March 16, 2012, 2 p.m.
On Thu, Mar 15, 2012 at 01:43:29PM -0700, Eric Dumazet wrote:
> commit 0d95521ea7 (ath9k: use split rx buffers to get rid of order-1 skb
> allocations) added in memory leak in error path.
> 
> sc->rx.frag should be cleared after the pskb_expand_head() call, or else
> we jump to requeue_drop_frag and leak an skb.
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Jouni Malinen <jouni@qca.qualcomm.com>
> Cc: Felix Fietkau <nbd@openwrt.org>
> Cc: John W. Linville <linville@tuxdriver.com>
> Cc: Trond Wuellner <trond@chromium.org>
> Cc: Grant Grundler <grundler@chromium.org>
> Cc: Paul Stewart <pstew@chromium.org>
> Cc: David Miller <davem@davemloft.net>

Acked-by: John W. Linville <linville@tuxdriver.com>

Dave, will you pick this up yourself?  Or should I take it around the bend?

John

> ---
>  drivers/net/wireless/ath/ath9k/recv.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
> index 7e1a91a..e74fc99 100644
> --- a/drivers/net/wireless/ath/ath9k/recv.c
> +++ b/drivers/net/wireless/ath/ath9k/recv.c
> @@ -1917,13 +1917,13 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
>  		if (sc->rx.frag) {
>  			int space = skb->len - skb_tailroom(hdr_skb);
>  
> -			sc->rx.frag = NULL;
> -
>  			if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
>  				dev_kfree_skb(skb);
>  				goto requeue_drop_frag;
>  			}
>  
> +			sc->rx.frag = NULL;
> +
>  			skb_copy_from_linear_data(skb, skb_put(hdr_skb, skb->len),
>  						  skb->len);
>  			dev_kfree_skb_any(skb);
> 
> 
>
Eric Dumazet - March 21, 2012, 10:21 a.m.
Le vendredi 16 mars 2012 à 10:00 -0400, John W. Linville a écrit :
> On Thu, Mar 15, 2012 at 01:43:29PM -0700, Eric Dumazet wrote:
> > commit 0d95521ea7 (ath9k: use split rx buffers to get rid of order-1 skb
> > allocations) added in memory leak in error path.
> > 
> > sc->rx.frag should be cleared after the pskb_expand_head() call, or else
> > we jump to requeue_drop_frag and leak an skb.
> > 
> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> > Cc: Jouni Malinen <jouni@qca.qualcomm.com>
> > Cc: Felix Fietkau <nbd@openwrt.org>
> > Cc: John W. Linville <linville@tuxdriver.com>
> > Cc: Trond Wuellner <trond@chromium.org>
> > Cc: Grant Grundler <grundler@chromium.org>
> > Cc: Paul Stewart <pstew@chromium.org>
> > Cc: David Miller <davem@davemloft.net>
> 
> Acked-by: John W. Linville <linville@tuxdriver.com>
> 
> Dave, will you pick this up yourself?  Or should I take it around the bend?

I dont know, please make sure its not lost anyway :

I have an upcoming patch on top on this one to reduce ath9k skb truesize
by 50% and get better tcp receives.



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 7e1a91a..e74fc99 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -1917,13 +1917,13 @@  int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
 		if (sc->rx.frag) {
 			int space = skb->len - skb_tailroom(hdr_skb);
 
-			sc->rx.frag = NULL;
-
 			if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
 				dev_kfree_skb(skb);
 				goto requeue_drop_frag;
 			}
 
+			sc->rx.frag = NULL;
+
 			skb_copy_from_linear_data(skb, skb_put(hdr_skb, skb->len),
 						  skb->len);
 			dev_kfree_skb_any(skb);