From: Felix Fietkau <nbd@nbd.name>
Date: Mon, 20 Jan 2020 11:08:30 +0000 (+0100)
Subject: mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
X-Git-Tag: v5.7-rc1~146^2~240^2^2~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=93eaec7625f13cffb593b471405b017c7e64d4ee;p=thirdparty%2Fkernel%2Flinux.git

mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw

Fixes a theoretical issue where it could potentially overwrite an existing
descriptor entry (and leaking its skb)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index e69329feed78a..bcb11bb9aeebb 100644
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -271,10 +271,13 @@ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, enum mt76_txq_id qid,
 	struct mt76_queue_buf buf;
 	dma_addr_t addr;
 
+	if (q->queued + 1 >= q->ndesc - 1)
+		goto error;
+
 	addr = dma_map_single(dev->dev, skb->data, skb->len,
 			      DMA_TO_DEVICE);
 	if (unlikely(dma_mapping_error(dev->dev, addr)))
-		return -ENOMEM;
+		goto error;
 
 	buf.addr = addr;
 	buf.len = skb->len;
@@ -285,6 +288,10 @@ mt76_dma_tx_queue_skb_raw(struct mt76_dev *dev, enum mt76_txq_id qid,
 	spin_unlock_bh(&q->lock);
 
 	return 0;
+
+error:
+	dev_kfree_skb(skb);
+	return -ENOMEM;
 }
 
 static int