Commit 93a1d479 authored by Lorenzo Bianconi's avatar Lorenzo Bianconi Committed by Kalle Valo

mt76: dma: fix a possible memory leak in mt76_add_fragment()

Fix a memory leak in mt76_add_fragment routine returning the buffer
to the page_frag_cache when we receive a new fragment and the
skb_shared_info frag array is full.

Fixes: b102f0c5 ("mt76: fix array overflow on receiving too many fragments for a packet")
Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
Acked-by: default avatarFelix Fietkau <nbd@nbd.name>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org
parent b64acb28
...@@ -509,15 +509,17 @@ static void ...@@ -509,15 +509,17 @@ static void
mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data, mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
int len, bool more) int len, bool more)
{ {
struct page *page = virt_to_head_page(data);
int offset = data - page_address(page);
struct sk_buff *skb = q->rx_head; struct sk_buff *skb = q->rx_head;
struct skb_shared_info *shinfo = skb_shinfo(skb); struct skb_shared_info *shinfo = skb_shinfo(skb);
if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) { if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
offset += q->buf_offset; struct page *page = virt_to_head_page(data);
int offset = data - page_address(page) + q->buf_offset;
skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len, skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
q->buf_size); q->buf_size);
} else {
skb_free_frag(data);
} }
if (more) if (more)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment