[PATCH 2/3] wifi: ath11k: fix leaking peer->tfm_mmic in reset scenario

Baochen Qiang quic_bqiang at quicinc.com
Sun Aug 25 18:49:41 PDT 2024 

Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(),
when the corresponding station transit from NONE to NOTEXIST state within
ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for
it to go through such transition. Further, during reset, we call
ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic:

Kmemleak reports:
unreferenced object 0xffff9a3ca7828d00 (size 64):
  backtrace (crc 4a016586):
    __kmalloc_node_noprof+0x38f/0x480
    crypto_alloc_tfmmem.isra.0+0x2e/0x60
    crypto_create_tfm_node+0x29/0xe0
    crypto_alloc_tfm_node+0x5d/0x130
    ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k]
    ath11k_dp_peer_setup+0x82/0x160 [ath11k]
    ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k]
    drv_sta_state+0x11e/0x9c0 [mac80211]
    sta_info_insert_rcu+0x469/0x880 [mac80211]
    sta_info_insert+0x10/0x80 [mac80211]
    ieee80211_prep_connection+0x295/0x950 [mac80211]
    ieee80211_mgd_auth+0x230/0x5a0 [mac80211]
    cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211]

In order to fix it we need to call crypto_free_shash() as well in
ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is
also called there, we can simply replace it with ath11k_dp_peer_cleanup().

Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30

Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Baochen Qiang <quic_bqiang at quicinc.com>
---
 drivers/net/wireless/ath/ath11k/mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index f1dff26bc237..f21d37cefb65 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -883,7 +883,7 @@ void ath11k_mac_peer_cleanup_all(struct ath11k *ar)
 	mutex_lock(&ab->tbl_mtx_lock);
 	spin_lock_bh(&ab->base_lock);
 	list_for_each_entry_safe(peer, tmp, &ab->peers, list) {
-		ath11k_peer_rx_tid_cleanup(ar, peer);
+		ath11k_dp_peer_cleanup(ar, peer->vdev_id, peer->sta->addr);
 		ath11k_peer_rhash_delete(ab, peer);
 		list_del(&peer->list);
 		kfree(peer);
-- 
2.25.1

More information about the ath11k mailing list