summaryrefslogtreecommitdiff
path: root/drivers/net/wireless
diff options
context:
space:
mode:
authorPo-Hao Huang <phhuang@realtek.com>2021-06-24 05:34:59 +0300
committerKalle Valo <kvalo@codeaurora.org>2021-06-24 19:21:15 +0300
commit1d8820d5462dcdd34f3eb7ef4893536c439e476d (patch)
treece783bcea6592aa1c7402f351cbb45e85e8bbd87 /drivers/net/wireless
parent1a3ac5c651a0c859bdea64ed964fc93c2ba980d3 (diff)
downloadlinux-1d8820d5462dcdd34f3eb7ef4893536c439e476d.tar.xz
rtw88: fix c2h memory leak
Fix erroneous code that leads to unreferenced objects. During H2C operations, some functions returned without freeing the memory that only the function have access to. Release these objects when they're no longer needed to avoid potentially memory leaks. Signed-off-by: Po-Hao Huang <phhuang@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210624023459.10294-1-pkshih@realtek.com
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r--drivers/net/wireless/realtek/rtw88/coex.c11
-rw-r--r--drivers/net/wireless/realtek/rtw88/fw.c2
-rw-r--r--drivers/net/wireless/realtek/rtw88/main.c1
3 files changed, 13 insertions, 1 deletions
diff --git a/drivers/net/wireless/realtek/rtw88/coex.c b/drivers/net/wireless/realtek/rtw88/coex.c
index 103e87745be6..2551e228b581 100644
--- a/drivers/net/wireless/realtek/rtw88/coex.c
+++ b/drivers/net/wireless/realtek/rtw88/coex.c
@@ -591,8 +591,10 @@ void rtw_coex_info_response(struct rtw_dev *rtwdev, struct sk_buff *skb)
struct rtw_coex *coex = &rtwdev->coex;
u8 *payload = get_payload_from_coex_resp(skb);
- if (payload[0] != COEX_RESP_ACK_BY_WL_FW)
+ if (payload[0] != COEX_RESP_ACK_BY_WL_FW) {
+ dev_kfree_skb_any(skb);
return;
+ }
skb_queue_tail(&coex->queue, skb);
wake_up(&coex->wait);
@@ -3515,6 +3517,7 @@ static bool rtw_coex_get_bt_reg(struct rtw_dev *rtwdev,
payload = get_payload_from_coex_resp(skb);
*val = GET_COEX_RESP_BT_REG_VAL(payload);
+ dev_kfree_skb_any(skb);
return true;
}
@@ -3533,6 +3536,8 @@ static bool rtw_coex_get_bt_patch_version(struct rtw_dev *rtwdev,
payload = get_payload_from_coex_resp(skb);
*patch_version = GET_COEX_RESP_BT_PATCH_VER(payload);
+ dev_kfree_skb_any(skb);
+
return true;
}
@@ -3550,6 +3555,8 @@ static bool rtw_coex_get_bt_supported_version(struct rtw_dev *rtwdev,
payload = get_payload_from_coex_resp(skb);
*supported_version = GET_COEX_RESP_BT_SUPP_VER(payload);
+ dev_kfree_skb_any(skb);
+
return true;
}
@@ -3567,6 +3574,8 @@ static bool rtw_coex_get_bt_supported_feature(struct rtw_dev *rtwdev,
payload = get_payload_from_coex_resp(skb);
*supported_feature = GET_COEX_RESP_BT_SUPP_FEAT(payload);
+ dev_kfree_skb_any(skb);
+
return true;
}
diff --git a/drivers/net/wireless/realtek/rtw88/fw.c b/drivers/net/wireless/realtek/rtw88/fw.c
index 176e8b67530e..3bfa5ecc0053 100644
--- a/drivers/net/wireless/realtek/rtw88/fw.c
+++ b/drivers/net/wireless/realtek/rtw88/fw.c
@@ -245,10 +245,12 @@ void rtw_fw_c2h_cmd_rx_irqsafe(struct rtw_dev *rtwdev, u32 pkt_offset,
break;
case C2H_WLAN_RFON:
complete(&rtwdev->lps_leave_check);
+ dev_kfree_skb_any(skb);
break;
case C2H_SCAN_RESULT:
complete(&rtwdev->fw_scan_density);
rtw_fw_scan_result(rtwdev, c2h->payload, len);
+ dev_kfree_skb_any(skb);
break;
default:
/* pass offset for further operation */
diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 4a9a8544e8ca..c6364837e83b 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1899,6 +1899,7 @@ void rtw_core_deinit(struct rtw_dev *rtwdev)
destroy_workqueue(rtwdev->tx_wq);
spin_lock_irqsave(&rtwdev->tx_report.q_lock, flags);
skb_queue_purge(&rtwdev->tx_report.queue);
+ skb_queue_purge(&rtwdev->coex.queue);
spin_unlock_irqrestore(&rtwdev->tx_report.q_lock, flags);
list_for_each_entry_safe(rsvd_pkt, tmp, &rtwdev->rsvd_page_list,