github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-27 08:33:17 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

wifi: mt76: Fix memory leak after mt76_connac_mcu_alloc_sta_req()

Browse Source 
mt76_connac_mcu_alloc_sta_req() allocates an skb which is expected to
be freed eventually by mt76_mcu_skb_send_msg(). However, currently if
an intermediate function fails before sending, the allocated skb is
leaked.

Specifically, mt76_connac_mcu_sta_wed_update() and
mt76_connac_mcu_sta_key_tlv() may fail, leading to an immediate memory
leak in the error path.

Fix this by explicitly freeing the skb in these error paths.
Commit 7c0f63fe37 ("wifi: mt76: mt7996: fix memory leak on
mt7996_mcu_sta_key_tlv error") made a similar change.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Fixes: d1369e515e ("wifi: mt76: connac: introduce mt76_connac_mcu_sta_wed_update utility routine")
Fixes: 6683d98808 ("mt76: connac: move mt76_connac_mcu_add_key in connac module")
Fixes: 4f831d18d1 ("wifi: mt76: mt7915: enable WED RX support")
Fixes: c948b5da6b ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Link: https://patch.msgid.link/20260116144919.1482558-1-zilin@seu.edu.cn
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This commit is contained in:
Zilin Guan 2026-01-16 14:49:19 +00:00 committed by Felix Fietkau
parent dd08ca3f09
commit c41075ce8c
3 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
View File

@ -1295,8 +1295,10 @@ int mt76_connac_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif,
wtbl_hdr);
ret = mt76_connac_mcu_sta_wed_update(dev, skb);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
ret = mt76_mcu_skb_send_msg(dev, skb, cmd, true);
if (ret)
@ -1309,8 +1311,10 @@ int mt76_connac_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif,
mt76_connac_mcu_sta_ba_tlv(skb, params, enable, tx);
ret = mt76_connac_mcu_sta_wed_update(dev, skb);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
return mt76_mcu_skb_send_msg(dev, skb, cmd, true);
}
@ -2764,12 +2768,16 @@ int mt76_connac_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
return PTR_ERR(skb);
ret = mt76_connac_mcu_sta_key_tlv(sta_key_conf, skb, key, cmd);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
ret = mt76_connac_mcu_sta_wed_update(dev, skb);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
}

4
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
View File

@ -1765,8 +1765,10 @@ int mt7915_mcu_add_sta(struct mt7915_dev *dev, struct ieee80211_vif *vif,
}
out:
ret = mt76_connac_mcu_sta_wed_update(&dev->mt76, skb);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
return mt76_mcu_skb_send_msg(&dev->mt76, skb,
MCU_EXT_CMD(STA_REC_UPDATE), true);

4
drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
View File

@ -1288,8 +1288,10 @@ int mt7925_mcu_add_key(struct mt76_dev *dev, struct ieee80211_vif *vif,
return PTR_ERR(skb);
ret = mt7925_mcu_sta_key_tlv(wcid, sta_key_conf, skb, key, cmd, msta);
if (ret)
if (ret) {
dev_kfree_skb(skb);
return ret;
}
return mt76_mcu_skb_send_msg(dev, skb, mcu_cmd, true);
}