From 9b50d9c06c275419ac36de8b5a5dd1ed6b522770 Mon Sep 17 00:00:00 2001 From: Zilin Guan Date: Thu, 22 Jan 2026 08:59:45 +0000 Subject: [PATCH] wifi: p54: Fix memory leak in p54_beacon_update() In p54_beacon_update(), beacon is allocated via ieee80211_beacon_get(). If p54_beacon_format_ie_tim() fails, the function returns immediately without freeing the allocated beacon skb, which would lead to a memory leak. Since no other references to this memory exist, it must be freed locally before returning the error. Fix this by freeing the buffer using dev_kfree_skb_any() in the error path. Note that this error path is unreachable in practice because mac80211 guarantees a minimum TIM length of 4 bytes for non-S1G devices. This change primarily serves to silence static analysis warnings and keep the error handling logic complete. Compile tested only. Issue found using a prototype static analysis tool and code review. Signed-off-by: Zilin Guan Acked-by: Christian Lamparter Link: https://patch.msgid.link/20260122085945.444955-1-zilin@seu.edu.cn Signed-off-by: Johannes Berg --- drivers/net/wireless/intersil/p54/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c index 2ec3655f1a9c..57a62108cbc3 100644 --- a/drivers/net/wireless/intersil/p54/main.c +++ b/drivers/net/wireless/intersil/p54/main.c @@ -143,8 +143,10 @@ static int p54_beacon_update(struct p54_common *priv, if (!beacon) return -ENOMEM; ret = p54_beacon_format_ie_tim(beacon); - if (ret) + if (ret) { + dev_kfree_skb_any(beacon); return ret; + } /* * During operation, the firmware takes care of beaconing.