ath9k: fix a memory leak in ath_rx_tasklet()

commit 0d95521ea7 (ath9k: use split rx buffers to get rid of order-1 skb
allocations) added in memory leak in error path.

sc->rx.frag should be cleared after the pskb_expand_head() call, or else
we jump to requeue_drop_frag and leak an skb.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jouni Malinen <jouni@qca.qualcomm.com>
Cc: Felix Fietkau <nbd@openwrt.org>
Cc: John W. Linville <linville@tuxdriver.com>
Cc: Trond Wuellner <trond@chromium.org>
Cc: Grant Grundler <grundler@chromium.org>
Cc: Paul Stewart <pstew@chromium.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index f4ae3ba..1c4583c 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -1913,13 +1913,13 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
                if (sc->rx.frag) {
                        int space = skb->len - skb_tailroom(hdr_skb);
 
-                       sc->rx.frag = NULL;
-
                        if (pskb_expand_head(hdr_skb, 0, space, GFP_ATOMIC) < 0) {
                                dev_kfree_skb(skb);
                                goto requeue_drop_frag;
                        }
 
+                       sc->rx.frag = NULL;
+
                        skb_copy_from_linear_data(skb, skb_put(hdr_skb, skb->len),
                                                  skb->len);
                        dev_kfree_skb_any(skb);