From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Felix Fietkau <nbd@openwrt.org>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [15/38] ath9k: fix a potential buffer leak in the STA teardown path
Date: Fri, 06 Aug 2010 11:30:36 -0700 [thread overview]
Message-ID: <20100806183201.400921938@clark.site> (raw)
In-Reply-To: <20100806183250.GA23019@kroah.com>
2.6.35-stable review patch. If anyone has any objections, please let us know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit 2b40994cabd2f545d5c11d3a65dcee6f6f9155f8 upstream.
It looks like it might be possible for a TID to be paused, while still
holding some queued buffers, however ath_tx_node_cleanup currently only
iterates over active TIDs.
Fix this by always checking every allocated TID for the STA that is being
cleaned up.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/wireless/ath/ath9k/xmit.c | 56 +++++++++++++++++-----------------
1 file changed, 28 insertions(+), 28 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -2449,37 +2449,37 @@ void ath_tx_node_init(struct ath_softc *
void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an)
{
- int i;
- struct ath_atx_ac *ac, *ac_tmp;
- struct ath_atx_tid *tid, *tid_tmp;
+ struct ath_atx_ac *ac;
+ struct ath_atx_tid *tid;
struct ath_txq *txq;
+ int i, tidno;
- for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
- if (ATH_TXQ_SETUP(sc, i)) {
- txq = &sc->tx.txq[i];
-
- spin_lock_bh(&txq->axq_lock);
-
- list_for_each_entry_safe(ac,
- ac_tmp, &txq->axq_acq, list) {
- tid = list_first_entry(&ac->tid_q,
- struct ath_atx_tid, list);
- if (tid && tid->an != an)
- continue;
- list_del(&ac->list);
- ac->sched = false;
-
- list_for_each_entry_safe(tid,
- tid_tmp, &ac->tid_q, list) {
- list_del(&tid->list);
- tid->sched = false;
- ath_tid_drain(sc, txq, tid);
- tid->state &= ~AGGR_ADDBA_COMPLETE;
- tid->state &= ~AGGR_CLEANUP;
- }
- }
+ for (tidno = 0, tid = &an->tid[tidno];
+ tidno < WME_NUM_TID; tidno++, tid++) {
+ i = tid->ac->qnum;
- spin_unlock_bh(&txq->axq_lock);
+ if (!ATH_TXQ_SETUP(sc, i))
+ continue;
+
+ txq = &sc->tx.txq[i];
+ ac = tid->ac;
+
+ spin_lock_bh(&txq->axq_lock);
+
+ if (tid->sched) {
+ list_del(&tid->list);
+ tid->sched = false;
}
+
+ if (ac->sched) {
+ list_del(&ac->list);
+ tid->ac->sched = false;
+ }
+
+ ath_tid_drain(sc, txq, tid);
+ tid->state &= ~AGGR_ADDBA_COMPLETE;
+ tid->state &= ~AGGR_CLEANUP;
+
+ spin_unlock_bh(&txq->axq_lock);
}
}
next prev parent reply other threads:[~2010-08-06 18:41 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-06 18:32 [00/38] 2.6.35.1-stable review Greg KH
2010-08-06 18:30 ` [01/38] PARISC: led.c - fix potential stack overflow in led_proc_write() Greg KH
2010-08-06 18:30 ` [02/38] arm/imx/gpio: add spinlock protection Greg KH
2010-08-06 18:30 ` [03/38] block_dev: always serialize exclusive open attempts Greg KH
2010-08-06 18:30 ` [04/38] parisc: pass through \t to early (iodc) console Greg KH
2010-08-06 18:30 ` [05/38] amd64_edac: Fix DCT base address selector Greg KH
2010-08-06 18:30 ` [06/38] amd64_edac: Correct scrub rate setting Greg KH
2010-08-06 18:30 ` [07/38] amd64_edac: Fix operator precendence error Greg KH
2010-08-06 18:30 ` [08/38] arp_notify: allow drivers to explicitly request a notification event Greg KH
2010-08-06 18:30 ` [09/38] xen: netfront: explicitly generate arp_notify event after migration Greg KH
2010-08-10 13:07 ` Ian Campbell
2010-08-11 19:43 ` Greg KH
2010-08-06 18:30 ` [10/38] e1000e: dont inadvertently re-set INTX_DISABLE Greg KH
2010-08-06 18:30 ` [11/38] e1000e: 82577/82578 PHY register access issues Greg KH
2010-08-06 18:30 ` [12/38] 9p: strlen() doesnt count the terminator Greg KH
2010-08-06 18:30 ` [13/38] igb: Use only a single Tx queue in SR-IOV mode Greg KH
2010-08-06 18:30 ` [14/38] ath9k: enable serialize_regmode for non-PCIE AR9160 Greg KH
2010-08-06 18:30 ` Greg KH [this message]
2010-08-06 18:30 ` [16/38] ath9k_hw: prevent a fast channel change after a rx DMA stuck issue Greg KH
2010-08-06 18:30 ` [17/38] ath9k_hw: fix a sign error in the IQ calibration code Greg KH
2010-08-06 18:30 ` [18/38] ath9k_hw: fix an off-by-one error in the PDADC boundaries calculation Greg KH
2010-08-06 18:30 ` [19/38] ath9k: fix retry count for A-MPDU rate control status reports Greg KH
2010-08-06 18:30 ` [20/38] ath9k: fix a buffer leak in A-MPDU completion Greg KH
2010-08-06 18:30 ` [21/38] ath9k: another fix for the A-MPDU buffer leak Greg KH
2010-08-06 18:30 ` [22/38] ath9k: fix TSF after reset on AR913x Greg KH
2010-08-06 18:30 ` [23/38] ath9k: fix yet another buffer leak in the tx aggregation code Greg KH
2010-08-06 18:30 ` [24/38] ath9k_hw: fix antenna diversity on AR9285 Greg KH
2010-08-06 18:30 ` [25/38] iwlwifi: fix scan abort Greg KH
2010-08-06 18:30 ` [26/38] ssb: Handle alternate SSPROM location Greg KH
2010-08-06 18:30 ` [27/38] cfg80211: ignore spurious deauth Greg KH
2010-08-06 18:30 ` [28/38] cfg80211: dont get expired BSSes Greg KH
2010-08-06 18:30 ` [29/38] mac80211: avoid scheduling while atomic in mesh_rx_plink_frame Greg KH
2010-08-06 18:30 ` [30/38] CRED: Fix RCU warning due to previous patch fixing __task_cred()s checks Greg KH
2010-08-06 18:30 ` [31/38] SCSI: enclosure: fix error path - actually return ERR_PTR() on error Greg KH
2010-08-06 18:30 ` [32/38] xen: drop xen_sched_clock in favour of using plain wallclock time Greg KH
2010-08-06 18:30 ` [33/38] drm/radeon: add new pci ids Greg KH
2010-08-06 18:30 ` [34/38] drm/radeon: fall back to GTT if bo creation/validation in VRAM fails Greg KH
2010-08-06 18:30 ` [35/38] drm/radeon/kms/r7xx: add workaround for hw issue with HDP flush Greg KH
2010-08-06 18:30 ` [36/38] drm/radeon/kms: handle the case of no active displays properly in the bandwidth code Greg KH
2010-08-06 18:30 ` [37/38] drm/i915: Unset cursor if out-of-bounds upon mode change (v4) Greg KH
2010-08-06 18:30 ` [38/38] drm/i915: Check overlay stride errata for i830 and i845 Greg KH
2010-08-06 19:14 ` [00/38] 2.6.35.1-stable review Thomas Backlund
2010-08-06 19:16 ` Greg KH
2010-08-11 19:51 ` [stable] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806183201.400921938@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=nbd@openwrt.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox