From: Christian Lamparter <chunkeey@gmail.com>
To: Zilin Guan <zilin@seu.edu.cn>
Cc: johannes.berg@intel.com, quic_rdevanat@quicinc.com,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
jianhao.xu@seu.edu.cn
Subject: Re: [PATCH v3] wifi: p54: Fix memory leak in p54_beacon_update()
Date: Thu, 22 Jan 2026 12:43:21 +0100 [thread overview]
Message-ID: <12dcf657-b8d9-4bd5-9bb1-e760dcbf1b30@gmail.com> (raw)
In-Reply-To: <20260122085945.444955-1-zilin@seu.edu.cn>
On 1/22/26 9:59 AM, Zilin Guan wrote:
> In p54_beacon_update(), beacon is allocated via ieee80211_beacon_get().
> If p54_beacon_format_ie_tim() fails, the function returns immediately
> without freeing the allocated beacon skb, which would lead to a memory
> leak.
>
> Since no other references to this memory exist, it must be freed locally
> before returning the error. Fix this by freeing the buffer using
> dev_kfree_skb_any() in the error path.
>
> Note that this error path is unreachable in practice because mac80211
> guarantees a minimum TIM length of 4 bytes for non-S1G devices. This
> change primarily serves to silence static analysis warnings and keep
> the error handling logic complete.
>
> Compile tested only. Issue found using a prototype static analysis tool
> and code review.
>
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
This will be picked up automatically, right?
> ---
> Changes in v3:
> - Add a note in the commit message about the code path being unreachable
> in practice.
> - Remove the Fixes tag as the issue is theoretical and unreachable.
>
> Changes in v2:
> - Correct the Fixes tag to point to the commit that introduced this issue.
>
> drivers/net/wireless/intersil/p54/main.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c
> index 2ec3655f1a9c..57a62108cbc3 100644
> --- a/drivers/net/wireless/intersil/p54/main.c
> +++ b/drivers/net/wireless/intersil/p54/main.c
> @@ -143,8 +143,10 @@ static int p54_beacon_update(struct p54_common *priv,
> if (!beacon)
> return -ENOMEM;
> ret = p54_beacon_format_ie_tim(beacon);
> - if (ret)
> + if (ret) {
> + dev_kfree_skb_any(beacon);
> return ret;
> + }
>
> /*
> * During operation, the firmware takes care of beaconing.
prev parent reply other threads:[~2026-01-22 11:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-22 8:59 [PATCH v3] wifi: p54: Fix memory leak in p54_beacon_update() Zilin Guan
2026-01-22 11:43 ` Christian Lamparter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12dcf657-b8d9-4bd5-9bb1-e760dcbf1b30@gmail.com \
--to=chunkeey@gmail.com \
--cc=jianhao.xu@seu.edu.cn \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=quic_rdevanat@quicinc.com \
--cc=zilin@seu.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.