Commit 2b40994c authored by Felix Fietkau's avatar Felix Fietkau Committed by John W. Linville

ath9k: fix a potential buffer leak in the STA teardown path

It looks like it might be possible for a TID to be paused, while still
holding some queued buffers, however ath_tx_node_cleanup currently only
iterates over active TIDs.
Fix this by always checking every allocated TID for the STA that is being
cleaned up.
Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 60ea385f
...@@ -2430,37 +2430,37 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an) ...@@ -2430,37 +2430,37 @@ void ath_tx_node_init(struct ath_softc *sc, struct ath_node *an)
void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an) void ath_tx_node_cleanup(struct ath_softc *sc, struct ath_node *an)
{ {
int i; struct ath_atx_ac *ac;
struct ath_atx_ac *ac, *ac_tmp; struct ath_atx_tid *tid;
struct ath_atx_tid *tid, *tid_tmp;
struct ath_txq *txq; struct ath_txq *txq;
int i, tidno;
for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { for (tidno = 0, tid = &an->tid[tidno];
if (ATH_TXQ_SETUP(sc, i)) { tidno < WME_NUM_TID; tidno++, tid++) {
txq = &sc->tx.txq[i]; i = tid->ac->qnum;
spin_lock_bh(&txq->axq_lock); if (!ATH_TXQ_SETUP(sc, i))
continue;
list_for_each_entry_safe(ac, txq = &sc->tx.txq[i];
ac_tmp, &txq->axq_acq, list) { ac = tid->ac;
tid = list_first_entry(&ac->tid_q,
struct ath_atx_tid, list);
if (tid && tid->an != an)
continue;
list_del(&ac->list);
ac->sched = false;
list_for_each_entry_safe(tid,
tid_tmp, &ac->tid_q, list) {
list_del(&tid->list);
tid->sched = false;
ath_tid_drain(sc, txq, tid);
tid->state &= ~AGGR_ADDBA_COMPLETE;
tid->state &= ~AGGR_CLEANUP;
}
}
spin_unlock_bh(&txq->axq_lock); spin_lock_bh(&txq->axq_lock);
if (tid->sched) {
list_del(&tid->list);
tid->sched = false;
}
if (ac->sched) {
list_del(&ac->list);
tid->ac->sched = false;
} }
ath_tid_drain(sc, txq, tid);
tid->state &= ~AGGR_ADDBA_COMPLETE;
tid->state &= ~AGGR_CLEANUP;
spin_unlock_bh(&txq->axq_lock);
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment