ath10k: fix tx_stats memory leak

Memory of tx_stats was allocated when a STA was added. But it's not freed
if the STA failed to be added to driver. This issue could be seen in MDK3
attack case when STA number reached the limit.

Tested: QCA9984 with firmware ver 10.4-3.9.0.1-00005
Signed-off-by: Zhi Chen <zhichen@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index dc8968de012d1d1317c2522b86816da79c3ffcea..43398e06454fa93097bd7ca04629d54e0bfd72b6 100644 (file)
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -6279,15 +6279,6 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                           ar->num_stations + 1, ar->max_num_stations,
                           ar->num_peers + 1, ar->max_num_peers);
 
-               if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
-                       arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
-                                                 GFP_KERNEL);
-                       if (!arsta->tx_stats) {
-                               ret = -ENOMEM;
-                               goto exit;
-                       }
-               }
-
                num_tdls_stations = ath10k_mac_tdls_vif_stations_count(hw, vif);
 
                if (sta->tdls) {
@@ -6308,12 +6299,22 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                        goto exit;
                }
 
+               if (ath10k_debug_is_extd_tx_stats_enabled(ar)) {
+                       arsta->tx_stats = kzalloc(sizeof(*arsta->tx_stats),
+                                                 GFP_KERNEL);
+                       if (!arsta->tx_stats) {
+                               ret = -ENOMEM;
+                               goto exit;
+                       }
+               }
+
                ret = ath10k_peer_create(ar, vif, sta, arvif->vdev_id,
                                         sta->addr, peer_type);
                if (ret) {
                        ath10k_warn(ar, "failed to add peer %pM for vdev %d when adding a new sta: %i\n",
                                    sta->addr, arvif->vdev_id, ret);
                        ath10k_mac_dec_num_stations(arvif, sta);
+                       kfree(arsta->tx_stats);
                        goto exit;
                }
 
@@ -6326,6 +6327,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                        spin_unlock_bh(&ar->data_lock);
                        ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
                        ath10k_mac_dec_num_stations(arvif, sta);
+                       kfree(arsta->tx_stats);
                        ret = -ENOENT;
                        goto exit;
                }
@@ -6346,6 +6348,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                        ath10k_peer_delete(ar, arvif->vdev_id,
                                           sta->addr);
                        ath10k_mac_dec_num_stations(arvif, sta);
+                       kfree(arsta->tx_stats);
                        goto exit;
                }
 
@@ -6357,6 +6360,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw,
                                    sta->addr, arvif->vdev_id, ret);
                        ath10k_peer_delete(ar, arvif->vdev_id, sta->addr);
                        ath10k_mac_dec_num_stations(arvif, sta);
+                       kfree(arsta->tx_stats);
 
                        if (num_tdls_stations != 0)
                                goto exit;