mt76: dma: fix a possible memory leak in mt76_add_fragment()

[ Upstream commit 93a1d4791c10d443bc67044def7efee2991d48b7 ]

Fix a memory leak in mt76_add_fragment routine returning the buffer
to the page_frag_cache when we receive a new fragment and the
skb_shared_info frag array is full.

Fixes: b102f0c522cf6 ("mt76: fix array overflow on receiving too many fragments for a packet")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Acked-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/4f9dd73407da88b2a552517ce8db242d86bf4d5c.1611616130.git.lorenzo@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/mediatek/mt76/dma.c b/drivers/net/wireless/mediatek/mt76/dma.c
index 026d996612fbef5986d70f114fa83365f25e2e61..781952b686ed28d5e6a0257bfb148987f0e0984a 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/dma.c
+++ b/drivers/net/wireless/mediatek/mt76/dma.c
@@ -452,15 +452,17 @@ static void
 mt76_add_fragment(struct mt76_dev *dev, struct mt76_queue *q, void *data,
                  int len, bool more)
 {
-       struct page *page = virt_to_head_page(data);
-       int offset = data - page_address(page);
        struct sk_buff *skb = q->rx_head;
        struct skb_shared_info *shinfo = skb_shinfo(skb);
 
        if (shinfo->nr_frags < ARRAY_SIZE(shinfo->frags)) {
-               offset += q->buf_offset;
+               struct page *page = virt_to_head_page(data);
+               int offset = data - page_address(page) + q->buf_offset;
+
                skb_add_rx_frag(skb, shinfo->nr_frags, page, offset, len,
                                q->buf_size);
+       } else {
+               skb_free_frag(data);
        }
 
        if (more)