[PATCH] mt76: mt76x02: fix SKB memory leak on error path in USB MCU

[PATCH] mt76: mt76x02: fix SKB memory leak on error path in USB MCU

[VolcomIlluminated]

[-- Attachment #1.1: Type: text/plain, Size: 75 bytes --]

Patch Attached!
-- 
 Secured with Tuta Mail: 
 https://tuta.com/free-email

[-- Attachment #1.2: Type: text/html, Size: 406 bytes --]

[-- Attachment #2: 0005-mt76-mt76x02-fix-SKB-memory-leak-on-error-path.patch --]
[-- Type: application/octet-stream, Size: 1088 bytes --]

From: VolcomIlluminated <volcomilluminated@tuta.com>
Date: Wed, 28 May 2026 00:00:00 +0000
Subject: [PATCH] mt76: mt76x02: fix SKB memory leak on error path in USB MCU

When mt76x02u_skb_dma_info() fails, the function returns immediately
without calling consume_skb(), leaking the SKB allocation.

Replace the early return with a goto to the existing out label which
calls consume_skb() unconditionally.

This addresses CVE-2022-50172.

Tested on Netgear A6210 (MT76x2U) with 1,640 packets and zero drops
over 2+ hours of continuous operation.

Signed-off-by: VolcomIlluminated <volcomilluminated@tuta.com>
---
--- /tmp/linux-6.18/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c	2025-11-30 17:42:10.000000000 -0500
+++ /home/ptpx86mm1/kernelbuild/linux-6.18/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c	2026-05-25 21:22:15.200610401 -0400
@@ -90,7 +90,7 @@
 	       MT_MCU_MSG_TYPE_CMD;
 	ret = mt76x02u_skb_dma_info(skb, CPU_TX_PORT, info);
 	if (ret)
-		return ret;
+		goto out;
 
 	ret = mt76u_bulk_msg(dev, skb->data, skb->len, NULL, 500,
 			     MT_EP_OUT_INBAND_CMD);