All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Zilin Guan <zilin@seu.edu.cn>
Cc: angelogioacchino.delregno@collabora.com, jianhao.xu@seu.edu.cn,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, linux-mediatek@lists.infradead.org,
	linux-wireless@vger.kernel.org, matthias.bgg@gmail.com,
	nbd@nbd.name, ryder.lee@mediatek.com, sean.wang@mediatek.com,
	shayne.chen@mediatek.com
Subject: Re: [PATCH net] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add()
Date: Thu, 13 Nov 2025 11:57:42 +0100	[thread overview]
Message-ID: <aRW5phMmzul8wTn-@lore-desk> (raw)
In-Reply-To: <20251113094135.348383-1-zilin@seu.edu.cn>

[-- Attachment #1: Type: text/plain, Size: 2415 bytes --]

> On Thu, Nov 13, 2025 at 08:17:09AM +0100, Lorenzo Bianconi wrote:
> > [-- Attachment #1: Type: text/plain, Size: 1475 bytes --]
> > 
> > > In mt7615_mcu_wtbl_sta_add(), an skb sskb is allocated. If the
> > > subsequent call to mt76_connac_mcu_alloc_wtbl_req() fails, the function
> > > returns an error without freeing sskb, leading to a memory leak.
> > > 
> > > Fix this by calling dev_kfree_skb() on sskb in the error handling path
> > > to ensure it is properly released.
> > > 
> > > Fixes: 99c457d902cf9 ("mt76: mt7615: move mt7615_mcu_set_bmc to mt7615_mcu_ops")
> > > Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> > > ---
> > >  drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 4 +++-
> > >  1 file changed, 3 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
> > > index 4064e193d4de..08ee2e861c4e 100644
> > > --- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
> > > +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
> > > @@ -874,8 +874,10 @@ mt7615_mcu_wtbl_sta_add(struct mt7615_phy *phy, struct ieee80211_vif *vif,
> > >  	wtbl_hdr = mt76_connac_mcu_alloc_wtbl_req(&dev->mt76, &msta->wcid,
> > >  						  WTBL_RESET_AND_SET, NULL,
> > >  						  &wskb);
> > > -	if (IS_ERR(wtbl_hdr))
> > > +	if (IS_ERR(wtbl_hdr)) {
> > > +		dev_kfree_skb(sskb);
> > 
> > Hi Zilin,
> > 
> > I can't see how this is useful since if mt76_connac_mcu_alloc_wtbl_req returns
> > an error, wskb will not be allocated.
> > 
> > Regards,
> > Lorenzo
> 
> Hi Lorenzo,
> 
> Thanks for your review.
> 
> You are correct that 'wskb' is not allocated in this error path. 
> However, my patch is intended to free 'sskb', which was allocated 
> earlier in the function. Without this change, 'sskb' is leaked if
> mt76_connac_mcu_alloc_wtbl_req() fails.
> 
> This approach is similar to the error handling logic later in the
> function, where a failure in sending one skb results in the other one
> being freed.
> 
> Hope this clarifies.

yes, right. I misread the code. I agree with the fix.

Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>

> 
> > >  		return PTR_ERR(wtbl_hdr);
> > > +	}
> > >  
> > >  	if (enable) {
> > >  		mt76_connac_mcu_wtbl_generic_tlv(&dev->mt76, wskb, vif, sta,
> > > -- 
> > > 2.34.1
> > > 
> 
> Best Regards,
> Zilin Guan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

      reply	other threads:[~2025-11-13 10:58 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-13  6:24 [PATCH net] mt76: mt7615: Fix memory leak in mt7615_mcu_wtbl_sta_add() Zilin Guan
2025-11-13  7:17 ` Lorenzo Bianconi
2025-11-13  9:41   ` Zilin Guan
2025-11-13 10:57     ` Lorenzo Bianconi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aRW5phMmzul8wTn-@lore-desk \
    --to=lorenzo@kernel.org \
    --cc=angelogioacchino.delregno@collabora.com \
    --cc=jianhao.xu@seu.edu.cn \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mediatek@lists.infradead.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=matthias.bgg@gmail.com \
    --cc=nbd@nbd.name \
    --cc=ryder.lee@mediatek.com \
    --cc=sean.wang@mediatek.com \
    --cc=shayne.chen@mediatek.com \
    --cc=zilin@seu.edu.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.