From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
alan@lxorguk.ukuu.org.uk, Felix Fietkau <nbd@openwrt.org>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [ 48/76] mac80211: use ieee80211_free_txskb to fix possible skb leaks
Date: Thu, 18 Oct 2012 19:47:12 -0700 [thread overview]
Message-ID: <20121019024357.842227386@linuxfoundation.org> (raw)
In-Reply-To: <20121019024350.087156547@linuxfoundation.org>
3.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@openwrt.org>
commit c3e7724b6bc2f25e46c38dbe68f09d71fafeafb8 upstream.
A few places free skbs using dev_kfree_skb even though they're called
after ieee80211_subif_start_xmit might have cloned it for tracking tx
status. Use ieee80211_free_txskb here to prevent skb leaks.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/status.c | 4 ++--
net/mac80211/tx.c | 22 ++++++++++++----------
2 files changed, 14 insertions(+), 12 deletions(-)
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -34,7 +34,7 @@ void ieee80211_tx_status_irqsafe(struct
skb_queue_len(&local->skb_queue_unreliable);
while (tmp > IEEE80211_IRQSAFE_QUEUE_LIMIT &&
(skb = skb_dequeue(&local->skb_queue_unreliable))) {
- dev_kfree_skb_irq(skb);
+ ieee80211_free_txskb(hw, skb);
tmp--;
I802_DEBUG_INC(local->tx_status_drop);
}
@@ -159,7 +159,7 @@ static void ieee80211_handle_filtered_fr
"dropped TX filtered frame, queue_len=%d PS=%d @%lu\n",
skb_queue_len(&sta->tx_filtered[ac]),
!!test_sta_flag(sta, WLAN_STA_PS_STA), jiffies);
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
}
static void ieee80211_check_pending_bar(struct sta_info *sta, u8 *addr, u8 tid)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -354,7 +354,7 @@ static void purge_old_ps_buffers(struct
total += skb_queue_len(&sta->ps_tx_buf[ac]);
if (skb) {
purged++;
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
break;
}
}
@@ -466,7 +466,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
ps_dbg(tx->sdata,
"STA %pM TX buffer for AC %d full - dropping oldest frame\n",
sta->sta.addr, ac);
- dev_kfree_skb(old);
+ ieee80211_free_txskb(&local->hw, old);
} else
tx->local->total_ps_buffered++;
@@ -1103,7 +1103,7 @@ static bool ieee80211_tx_prep_agg(struct
spin_unlock(&tx->sta->lock);
if (purge_skb)
- dev_kfree_skb(purge_skb);
+ ieee80211_free_txskb(&tx->local->hw, purge_skb);
}
/* reset session timer */
@@ -1214,7 +1214,7 @@ static bool ieee80211_tx_frags(struct ie
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
if (WARN_ON_ONCE(q >= local->hw.queues)) {
__skb_unlink(skb, skbs);
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
continue;
}
#endif
@@ -1356,7 +1356,7 @@ static int invoke_tx_handlers(struct iee
if (unlikely(res == TX_DROP)) {
I802_DEBUG_INC(tx->local->tx_handlers_drop);
if (tx->skb)
- dev_kfree_skb(tx->skb);
+ ieee80211_free_txskb(&tx->local->hw, tx->skb);
else
__skb_queue_purge(&tx->skbs);
return -1;
@@ -1393,7 +1393,7 @@ static bool ieee80211_tx(struct ieee8021
res_prepare = ieee80211_tx_prepare(sdata, &tx, skb);
if (unlikely(res_prepare == TX_DROP)) {
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
goto out;
} else if (unlikely(res_prepare == TX_QUEUED)) {
goto out;
@@ -1466,7 +1466,7 @@ void ieee80211_xmit(struct ieee80211_sub
headroom = max_t(int, 0, headroom);
if (ieee80211_skb_resize(sdata, skb, headroom, may_encrypt)) {
- dev_kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
rcu_read_unlock();
return;
}
@@ -2060,8 +2060,10 @@ netdev_tx_t ieee80211_subif_start_xmit(s
head_need += IEEE80211_ENCRYPT_HEADROOM;
head_need += local->tx_headroom;
head_need = max_t(int, 0, head_need);
- if (ieee80211_skb_resize(sdata, skb, head_need, true))
- goto fail;
+ if (ieee80211_skb_resize(sdata, skb, head_need, true)) {
+ ieee80211_free_txskb(&local->hw, skb);
+ return NETDEV_TX_OK;
+ }
}
if (encaps_data) {
@@ -2196,7 +2198,7 @@ void ieee80211_tx_pending(unsigned long
struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
if (WARN_ON(!info->control.vif)) {
- kfree_skb(skb);
+ ieee80211_free_txskb(&local->hw, skb);
continue;
}
next prev parent reply other threads:[~2012-10-19 2:49 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-19 2:46 [ 00/76] 3.6.3-stable review Greg Kroah-Hartman
2012-10-19 2:46 ` [ 01/76] ARM: vfp: fix saving d16-d31 vfp registers on v6+ kernels Greg Kroah-Hartman
2012-10-19 2:46 ` [ 02/76] pnfsblock: fix partial page buffer wirte Greg Kroah-Hartman
2012-10-19 2:46 ` [ 03/76] NFS41: fix error of setting blocklayoutdriver Greg Kroah-Hartman
2012-10-19 2:46 ` [ 04/76] NFS: Remove bad delegations during open recovery Greg Kroah-Hartman
2012-10-19 2:46 ` [ 05/76] nfsd4: dont pin clientids to pseudoflavors Greg Kroah-Hartman
2012-10-19 2:46 ` [ 06/76] nfsd4: fix nfs4 stateid leak Greg Kroah-Hartman
2012-10-19 2:46 ` [ 07/76] NFSD: pass null terminated buf to kstrtouint() Greg Kroah-Hartman
2012-10-19 2:46 ` [ 08/76] lockd: per-net NSM client creation and destruction helpers introduced Greg Kroah-Hartman
2012-10-19 2:46 ` [ 09/76] lockd: use rpc clients cl_nodename for id encoding Greg Kroah-Hartman
2012-10-19 22:10 ` Ben Hutchings
2012-10-19 22:13 ` Ben Hutchings
2012-10-19 2:46 ` [ 10/76] lockd: create and use per-net NSM RPC clients on MON/UNMON requests Greg Kroah-Hartman
2012-10-19 2:46 ` [ 11/76] ACPI: EC: Make the GPE storm threshold a module parameter Greg Kroah-Hartman
2012-10-19 2:46 ` [ 12/76] ACPI: EC: Add a quirk for CLEVO M720T/M730T laptop Greg Kroah-Hartman
2012-10-19 2:46 ` [ 13/76] ALSA: hda - Add missing hda_gen_spec to struct via_spec Greg Kroah-Hartman
2012-10-19 2:46 ` [ 14/76] ALSA: hda - do not detect jack on internal speakers for Realtek Greg Kroah-Hartman
2012-10-19 2:46 ` [ 15/76] ALSA: hda - Fix memory leaks at error path in patch_cirrus.c Greg Kroah-Hartman
2012-10-19 2:46 ` [ 16/76] mips,kgdb: fix recursive page fault with CONFIG_KPROBES Greg Kroah-Hartman
2012-10-19 2:46 ` [ 17/76] tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking Greg Kroah-Hartman
2012-10-19 2:46 ` [ 18/76] iscsi-target: Correctly set 0xffffffff field within ISCSI_OP_REJECT PDU Greg Kroah-Hartman
2012-10-19 2:46 ` [ 19/76] iscsit: remove incorrect unlock in iscsit_build_sendtargets_resp Greg Kroah-Hartman
2012-10-19 2:46 ` [ 20/76] iscsi-target: Add explicit set of cache_dynamic_acls=1 for TPG demo-mode Greg Kroah-Hartman
2012-10-19 2:46 ` [ 21/76] iscsi-target: Bump defaults for nopin_timeout + nopin_response_timeout values Greg Kroah-Hartman
2012-10-19 2:46 ` [ 22/76] SCSI: storvsc: Account for in-transit packets in the RESET path Greg Kroah-Hartman
2012-10-19 2:46 ` [ 23/76] SCSI: scsi_debug: Fix off-by-one bug when unmapping region Greg Kroah-Hartman
2012-10-19 2:46 ` [ 24/76] SCSI: virtio-scsi: initialize scatterlist structure Greg Kroah-Hartman
2012-10-19 2:46 ` [ 25/76] ARM: 7541/1: Add ARM ERRATA 775420 workaround Greg Kroah-Hartman
2012-10-19 2:46 ` [ 26/76] ARM: OMAP: counter: add locking to read_persistent_clock Greg Kroah-Hartman
2012-10-19 2:46 ` [ 27/76] firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel) Greg Kroah-Hartman
2012-10-19 2:46 ` [ 28/76] SUNRPC: Ensure that the TCP socket is closed when in CLOSE_WAIT Greg Kroah-Hartman
2012-10-19 2:46 ` [ 29/76] target: support zero allocation length in INQUIRY Greg Kroah-Hartman
2012-10-19 2:46 ` [ 30/76] target: fix truncation of mode data, support zero allocation length Greg Kroah-Hartman
2012-10-19 2:46 ` [ 31/76] target: fix return code in target_core_init_configfs error path Greg Kroah-Hartman
2012-10-19 2:46 ` [ 32/76] target/file: Re-enable optional fd_buffered_io=1 operation Greg Kroah-Hartman
2012-10-19 2:46 ` [ 33/76] qla2xxx: Fix endianness of task management response code Greg Kroah-Hartman
2012-10-19 2:46 ` [ 34/76] vfio: Move PCI INTx eventfd setting earlier Greg Kroah-Hartman
2012-10-19 2:46 ` [ 35/76] vfio: Fix PCI INTx disable consistency Greg Kroah-Hartman
2012-10-19 2:47 ` [ 36/76] xen/pv-on-hvm kexec: add quirk for Xen 3.4 and shutdown watches Greg Kroah-Hartman
2012-10-19 2:47 ` [ 37/76] xen/bootup: allow {read|write}_cr8 pvops call Greg Kroah-Hartman
2012-10-19 2:47 ` [ 38/76] xen/bootup: allow read_tscp call for Xen PV guests Greg Kroah-Hartman
2012-10-19 2:47 ` [ 39/76] block: fix request_queue->flags initialization Greg Kroah-Hartman
2012-10-19 2:47 ` [ 40/76] autofs4 - fix reset pending flag on mount fail Greg Kroah-Hartman
2012-10-19 2:47 ` [ 41/76] module: taint kernel when lve module is loaded Greg Kroah-Hartman
2012-10-19 2:47 ` [ 42/76] video/udlfb: fix line counting in fb_write Greg Kroah-Hartman
2012-10-19 2:47 ` [ 43/76] viafb: dont touch clock state on OLPC XO-1.5 Greg Kroah-Hartman
2012-10-19 2:47 ` [ 44/76] timekeeping: Cast raw_interval to u64 to avoid shift overflow Greg Kroah-Hartman
2012-10-19 2:47 ` [ 45/76] timers: Fix endless looping between cascade() and internal_add_timer() Greg Kroah-Hartman
2012-10-19 2:47 ` [ 46/76] nohz: Fix one jiffy count too far in idle cputime Greg Kroah-Hartman
2012-10-19 2:47 ` [ 47/76] ath9k: use ieee80211_free_txskb Greg Kroah-Hartman
2012-10-19 2:47 ` Greg Kroah-Hartman [this message]
2012-10-19 2:47 ` [ 49/76] md/raid10: use correct limit variable Greg Kroah-Hartman
2012-10-19 2:47 ` [ 50/76] kdb,vt_console: Fix missed data due to pager overruns Greg Kroah-Hartman
2012-10-19 2:47 ` [ 51/76] pktgen: fix crash when generating IPv6 packets Greg Kroah-Hartman
2012-10-19 2:47 ` [ 52/76] MIPS: ath79: Fix CPU/DDR frequency calculation for SRIF PLLs Greg Kroah-Hartman
2012-10-19 2:47 ` [ 53/76] kbuild: Fix accidental revert in commit fe04ddf Greg Kroah-Hartman
2012-10-19 2:47 ` [ 54/76] Add CDC-ACM support for the CX93010-2x UCMxx USB Modem Greg Kroah-Hartman
2012-10-19 2:47 ` [ 55/76] fs: handle failed audit_log_start properly Greg Kroah-Hartman
2012-10-19 2:47 ` [ 56/76] fs: prevent use after free in auditing when symlink following was denied Greg Kroah-Hartman
2012-10-19 2:47 ` [ 57/76] drm/radeon: Dont destroy I2C Bus Rec in radeon_ext_tmds_enc_destroy() Greg Kroah-Hartman
2012-10-19 2:47 ` [ 58/76] drm/i915: remove useless BUG_ON which caused a regression in 3.5 Greg Kroah-Hartman
2012-10-19 2:47 ` [ 59/76] drm/i915: Set guardband clipping workaround bit in the right register Greg Kroah-Hartman
2012-10-19 2:47 ` [ 60/76] drm/nouveau/bios: fix shadowing of ACPI ROMs larger than 64KiB Greg Kroah-Hartman
2012-10-19 16:01 ` Heinz Diehl
2012-10-19 17:48 ` Greg Kroah-Hartman
2012-10-19 19:11 ` Heinz Diehl
2012-10-21 16:31 ` Greg Kroah-Hartman
2012-10-19 2:47 ` [ 61/76] drm/i915: use adjusted_mode instead of mode for checking the 6bpc force flag Greg Kroah-Hartman
2012-10-19 2:47 ` [ 62/76] mcs7830: Fix link state detection Greg Kroah-Hartman
2012-10-19 2:47 ` [ 63/76] jbd: Fix assertion failure in commit code due to lacking transaction credits Greg Kroah-Hartman
2012-10-19 2:47 ` [ 64/76] mtd: nand: allow NAND_NO_SUBPAGE_WRITE to be set from driver Greg Kroah-Hartman
2012-10-19 2:47 ` [ 65/76] e1000e: Change wthresh to 1 to avoid possible Tx stalls Greg Kroah-Hartman
2012-10-19 2:47 ` [ 66/76] tpm: Propagate error from tpm_transmit to fix a timeout hang Greg Kroah-Hartman
2012-10-19 2:47 ` [ 67/76] usb: gadget: at91_udc: fix dt support Greg Kroah-Hartman
2012-10-19 2:47 ` [ 68/76] ALSA: hda - Fix registration race of VGA switcheroo Greg Kroah-Hartman
2012-10-19 2:47 ` [ 69/76] ALSA: hda - Stop LPIB delay counting on broken hardware Greg Kroah-Hartman
2012-10-19 2:47 ` [ 70/76] ALSA: hda - Always check array bounds in alc_get_line_out_pfx Greg Kroah-Hartman
2012-10-19 2:47 ` [ 71/76] ASoC: fsi: dont reschedule DMA from an atomic context Greg Kroah-Hartman
2012-10-19 2:47 ` [ 72/76] ASoC: wm2200: Use rev A register patches on rev B Greg Kroah-Hartman
2012-10-19 2:47 ` [ 73/76] ASoC: wm2200: Fix non-inverted OUT2 mute control Greg Kroah-Hartman
2012-10-19 2:47 ` [ 74/76] ASoC: omap-abe-twl6040: Fix typo of Vibrator Greg Kroah-Hartman
2012-10-19 2:47 ` [ 75/76] ALSA: ac97 - Fix missing NULL check in snd_ac97_cvol_new() Greg Kroah-Hartman
2012-10-19 2:47 ` [ 76/76] ALSA: emu10k1: add chip details for E-mu 1010 PCIe card Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121019024357.842227386@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=nbd@openwrt.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox