[PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare

Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb()
@ 2026-05-31  9:10 Lorenzo Bianconi
  2026-06-02 18:58 ` Dylan Eskew
  0 siblings, 1 reply; 3+ messages in thread
From: Lorenzo Bianconi @ 2026-05-31  9:10 UTC (permalink / raw)
  To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno
  Cc: linux-wireless, linux-arm-kernel, linux-mediatek,
	Lorenzo Bianconi

If link_conf or link_sta lookup fails in mt7996_tx_prepare_skb routine,
mt7996 driver leaks an already allocated tx token. Fix the issue
releasing the token in case of error.

Fixes: 7ef0c7ad735b0 ("wifi: mt76: mt7996: Implement MLD address translation for EAPOL")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
 drivers/net/wireless/mediatek/mt76/tx.c         | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index c98446057282..8c56344d211b 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1067,11 +1067,11 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
 
 		link_conf = rcu_dereference(vif->link_conf[wcid->link_id]);
 		if (!link_conf)
-			return -EINVAL;
+			goto error_relase_token;
 
 		link_sta = rcu_dereference(sta->link[wcid->link_id]);
 		if (!link_sta)
-			return -EINVAL;
+			goto error_relase_token;
 
 		dma_sync_single_for_cpu(mdev->dma_dev, tx_info->buf[1].addr,
 					tx_info->buf[1].len, DMA_TO_DEVICE);
@@ -1176,6 +1176,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
 	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
 
 	return 0;
+
+error_relase_token:
+	mt76_token_release(mdev, id, NULL);
+	return -EINVAL;
 }
 
 u32 mt7996_wed_init_buf(void *ptr, dma_addr_t phys, int token_id)
diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
index 22f9690634c9..f96d9c471853 100644
--- a/drivers/net/wireless/mediatek/mt76/tx.c
+++ b/drivers/net/wireless/mediatek/mt76/tx.c
@@ -933,7 +933,7 @@ mt76_token_release(struct mt76_dev *dev, int token, bool *wake)
 #endif
 	}
 
-	if (dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
+	if (wake && dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
 	    dev->phy.q_tx[0]->blocked)
 		*wake = true;
 

---
base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
change-id: 20260531-mt7996_tx_prepare_skb-token-leack-82e240d8c66f

Best regards,
-- 
Lorenzo Bianconi <lorenzo@kernel.org>



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb()
  2026-05-31  9:10 [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb() Lorenzo Bianconi
@ 2026-06-02 18:58 ` Dylan Eskew
  2026-06-03  7:09   ` Lorenzo Bianconi
  0 siblings, 1 reply; 3+ messages in thread
From: Dylan Eskew @ 2026-06-02 18:58 UTC (permalink / raw)
  To: Lorenzo Bianconi, Felix Fietkau, Ryder Lee, Shayne Chen,
	Sean Wang, Matthias Brugger, AngeloGioacchino Del Regno
  Cc: linux-wireless, linux-arm-kernel, linux-mediatek

Hi Lore,

We have been seeing the token memory leak in our custom kernel. After 
pulling your patch in, we are still getting the leak (validated with 
kmemleak). How did you figure out where this potential leak was? I want 
to determine if we are leaking because of our changes or if there's more 
areas for token leakage.

-- Dylan

On 5/31/26 2:10 AM, Lorenzo Bianconi wrote:
> If link_conf or link_sta lookup fails in mt7996_tx_prepare_skb routine,
> mt7996 driver leaks an already allocated tx token. Fix the issue
> releasing the token in case of error.
>
> Fixes: 7ef0c7ad735b0 ("wifi: mt76: mt7996: Implement MLD address translation for EAPOL")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> ---
>   drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
>   drivers/net/wireless/mediatek/mt76/tx.c         | 2 +-
>   2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index c98446057282..8c56344d211b 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1067,11 +1067,11 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
>   
>   		link_conf = rcu_dereference(vif->link_conf[wcid->link_id]);
>   		if (!link_conf)
> -			return -EINVAL;
> +			goto error_relase_token;
>   
>   		link_sta = rcu_dereference(sta->link[wcid->link_id]);
>   		if (!link_sta)
> -			return -EINVAL;
> +			goto error_relase_token;
>   
>   		dma_sync_single_for_cpu(mdev->dma_dev, tx_info->buf[1].addr,
>   					tx_info->buf[1].len, DMA_TO_DEVICE);
> @@ -1176,6 +1176,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
>   	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
>   
>   	return 0;
> +
> +error_relase_token:
> +	mt76_token_release(mdev, id, NULL);
> +	return -EINVAL;
>   }
>   
>   u32 mt7996_wed_init_buf(void *ptr, dma_addr_t phys, int token_id)
> diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
> index 22f9690634c9..f96d9c471853 100644
> --- a/drivers/net/wireless/mediatek/mt76/tx.c
> +++ b/drivers/net/wireless/mediatek/mt76/tx.c
> @@ -933,7 +933,7 @@ mt76_token_release(struct mt76_dev *dev, int token, bool *wake)
>   #endif
>   	}
>   
> -	if (dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> +	if (wake && dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
>   	    dev->phy.q_tx[0]->blocked)
>   		*wake = true;
>   
>
> ---
> base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
> change-id: 20260531-mt7996_tx_prepare_skb-token-leack-82e240d8c66f
>
> Best regards,


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb()
  2026-06-02 18:58 ` Dylan Eskew
@ 2026-06-03  7:09   ` Lorenzo Bianconi
  0 siblings, 0 replies; 3+ messages in thread
From: Lorenzo Bianconi @ 2026-06-03  7:09 UTC (permalink / raw)
  To: Dylan Eskew
  Cc: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
	Matthias Brugger, AngeloGioacchino Del Regno, linux-wireless,
	linux-arm-kernel, linux-mediatek

[-- Attachment #1: Type: text/plain, Size: 2978 bytes --]

> Hi Lore,

Hi Dylan,

> 
> We have been seeing the token memory leak in our custom kernel. After
> pulling your patch in, we are still getting the leak (validated with
> kmemleak). How did you figure out where this potential leak was? I want to
> determine if we are leaking because of our changes or if there's more areas
> for token leakage.

Can you please try to run kmemleak on Felix's tree to check if there are any
leftover leaks not fixed yet?

Regards,
Lorenzo

> 
> -- Dylan
> 
> On 5/31/26 2:10 AM, Lorenzo Bianconi wrote:
> > If link_conf or link_sta lookup fails in mt7996_tx_prepare_skb routine,
> > mt7996 driver leaks an already allocated tx token. Fix the issue
> > releasing the token in case of error.
> > 
> > Fixes: 7ef0c7ad735b0 ("wifi: mt76: mt7996: Implement MLD address translation for EAPOL")
> > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> > ---
> >   drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
> >   drivers/net/wireless/mediatek/mt76/tx.c         | 2 +-
> >   2 files changed, 7 insertions(+), 3 deletions(-)
> > 
> > diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > index c98446057282..8c56344d211b 100644
> > --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > @@ -1067,11 +1067,11 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
> >   		link_conf = rcu_dereference(vif->link_conf[wcid->link_id]);
> >   		if (!link_conf)
> > -			return -EINVAL;
> > +			goto error_relase_token;
> >   		link_sta = rcu_dereference(sta->link[wcid->link_id]);
> >   		if (!link_sta)
> > -			return -EINVAL;
> > +			goto error_relase_token;
> >   		dma_sync_single_for_cpu(mdev->dma_dev, tx_info->buf[1].addr,
> >   					tx_info->buf[1].len, DMA_TO_DEVICE);
> > @@ -1176,6 +1176,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
> >   	tx_info->nbuf = MT_CT_DMA_BUF_NUM;
> >   	return 0;
> > +
> > +error_relase_token:
> > +	mt76_token_release(mdev, id, NULL);
> > +	return -EINVAL;
> >   }
> >   u32 mt7996_wed_init_buf(void *ptr, dma_addr_t phys, int token_id)
> > diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
> > index 22f9690634c9..f96d9c471853 100644
> > --- a/drivers/net/wireless/mediatek/mt76/tx.c
> > +++ b/drivers/net/wireless/mediatek/mt76/tx.c
> > @@ -933,7 +933,7 @@ mt76_token_release(struct mt76_dev *dev, int token, bool *wake)
> >   #endif
> >   	}
> > -	if (dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> > +	if (wake && dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> >   	    dev->phy.q_tx[0]->blocked)
> >   		*wake = true;
> > 
> > ---
> > base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
> > change-id: 20260531-mt7996_tx_prepare_skb-token-leack-82e240d8c66f
> > 
> > Best regards,
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-03  7:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-31  9:10 [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb() Lorenzo Bianconi
2026-06-02 18:58 ` Dylan Eskew
2026-06-03  7:09   ` Lorenzo Bianconi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox