Since 'mgmt_pending_tx' of 'struct ath10k_wmi' contains pointers
to dynamically allocated 'struct ath10k_mgmt_tx_pkt_addr' objects,
these objects should be explicitly freed when removing from idr
or when the whole idr is destroyed.
Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
---
drivers/net/wireless/ath/ath10k/wmi-tlv.c | 11 +++++++++--
drivers/net/wireless/ath/ath10k/wmi.c | 5 +++--
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
index 6b6aa3c36744..45a445c5f1df 100644
--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
@@ -3038,11 +3038,18 @@ ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
struct sk_buff *msdu)
{
struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
+ struct ath10k_mgmt_tx_pkt_addr *pkt_addr;
struct ath10k_wmi *wmi = &ar->wmi;
- idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
+ pkt_addr = idr_find(&wmi->mgmt_pending_tx, cb->msdu_id);
+ if (pkt_addr) {
+ idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
+ kfree(pkt_addr);
+ return 0;
+ }
- return 0;
+ ath10k_warn(ar, "invalid msdu_id: %d\n", cb->msdu_id);
+ return -ENOENT;
}
static int
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 05fa7d4c0e1a..20534a7d6551 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -2433,9 +2433,9 @@ wmi_process_mgmt_tx_comp(struct ath10k *ar, struct mgmt_tx_compl_params *param)
ieee80211_tx_status_irqsafe(ar->hw, msdu);
ret = 0;
-
-out:
idr_remove(&wmi->mgmt_pending_tx, param->desc_id);
+ kfree(pkt_addr);
+out:
spin_unlock_bh(&ar->data_lock);
return ret;
}
@@ -9539,6 +9539,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_pending(int msdu_id, void *ptr,
dma_unmap_single(ar->dev, pkt_addr->paddr,
msdu->len, DMA_TO_DEVICE);
ieee80211_free_txskb(ar->hw, msdu);
+ kfree(pkt_addr);
return 0;
}
--
2.41.0
