On 8/25/2024 6:49 PM, Baochen Qiang wrote:
> Currently peer->tfm_mmic would only get freed, by ath11k_dp_peer_cleanup(),
> when the corresponding station transit from NONE to NOTEXIST state within
> ath11k_mac_op_sta_state(). However in reset scenario, there is no chance for
> it to go through such transition. Further, during reset, we call
> ath11k_mac_peer_cleanup_all() where peer is freed, thus leak peer->tfm_mmic:
>
> Kmemleak reports:
> unreferenced object 0xffff9a3ca7828d00 (size 64):
> backtrace (crc 4a016586):
> __kmalloc_node_noprof+0x38f/0x480
> crypto_alloc_tfmmem.isra.0+0x2e/0x60
> crypto_create_tfm_node+0x29/0xe0
> crypto_alloc_tfm_node+0x5d/0x130
> ath11k_peer_rx_frag_setup+0x2c/0x150 [ath11k]
> ath11k_dp_peer_setup+0x82/0x160 [ath11k]
> ath11k_mac_op_sta_state+0x26f/0xca0 [ath11k]
> drv_sta_state+0x11e/0x9c0 [mac80211]
> sta_info_insert_rcu+0x469/0x880 [mac80211]
> sta_info_insert+0x10/0x80 [mac80211]
> ieee80211_prep_connection+0x295/0x950 [mac80211]
> ieee80211_mgd_auth+0x230/0x5a0 [mac80211]
> cfg80211_mlme_auth+0xeb/0x2a0 [cfg80211]
>
> In order to fix it we need to call crypto_free_shash() as well in
> ath11k_mac_peer_cleanup_all(). Considering ath11k_peer_rx_tid_cleanup() is
> also called there, we can simply replace it with ath11k_dp_peer_cleanup().
>
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Baochen Qiang <quic_bqiang@xxxxxxxxxxx>
Acked-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx>
