In some of the non-success return paths, the memory allocated by
iwl4965_sta_alloc_lq() in iwl4965_alloc_bcast_station() is not freed.
In particular:
- if the card isn't ready after il4965_prepare_card_hw()
- if the card is hardware-rfkilled
In the hardware rfkilled path, the driver enables the rfkill
interrupt. When the card is unrfkilled and this interrupt is raised
we end up calling il4965_bg_restart() which calls __il4965_up() which
calls iwl4965_alloc_bcast_station() again.
Suggested-by: Jia-Ju Bai <baijiaju1990@xxxxxxx>
Signed-off-by: Julian Calaby <julian.calaby@xxxxxxxxx>
---
This is only compile tested as I don't have compatible hardware. I also
don't know the driver enough to know that this is truly correct - however
it looks right and I stand by my analysis.
Could someone else please review this?
Thanks,
Julian Calaby
---
drivers/net/wireless/intel/iwlegacy/4965-mac.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlegacy/4965-mac.c b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
index 30d9dd3..f9ed480 100644
--- a/drivers/net/wireless/intel/iwlegacy/4965-mac.c
+++ b/drivers/net/wireless/intel/iwlegacy/4965-mac.c
@@ -5553,6 +5553,7 @@ __il4965_up(struct il_priv *il)
il4965_prepare_card_hw(il);
if (!il->hw_ready) {
+ il_dealloc_bcast_stations(il);
IL_ERR("HW not ready\n");
return -EIO;
}
@@ -5564,6 +5565,7 @@ __il4965_up(struct il_priv *il)
set_bit(S_RFKILL, &il->status);
wiphy_rfkill_set_hw_state(il->hw->wiphy, true);
+ il_dealloc_bcast_stations(il);
il_enable_rfkill_int(il);
IL_WARN("Radio disabled by HW RF Kill switch\n");
return 0;
--
2.7.0
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
