[PATCH v3 0/3] staging: rtl8723bs: fix error handling and memory leaks

[PATCH v3 0/3] staging: rtl8723bs: fix error handling and memory leaks

[Samasth Norway Ananda]

This series fixes memory leaks and missing error checks in rtl8723bs:

1. Firmware not released on error paths in rtl8723b_FirmwareDownload().
2. Buffer not freed when cfg80211_inform_bss_frame() fails.
3. Missing IS_ERR() check for kthread_run() in rtl8723b_start_thread().

Changes in v3:
-> Patch 3: remove rtl8723b_start_thread(), rtl8723b_stop_thread(), 
rtw_hal_start_thread() and rtw_hal_stop_thread() entirely, inlining 
the kthread handling directly to rtw_start_drv_threads() and 
rtw_stop_drv_threads() with proper IS_ERR() checking.


Changes in v2:
-> Patch 1: Call release_firmware() directly in error paths instead of
using intermediate goto label.
-> Dropped patch 4 (rtw_wdev_alloc) to study cleanup chain further.

Samasth Norway Ananda (3):
  staging: rtl8723bs: fix firmware memory leak on error
  staging: rtl8723bs: fix memory leak in rtw_cfg80211_inform_bss()
  staging: rtl8723bs: remove thread wraper functions and add IS_ERR()
    check

 drivers/staging/rtl8723bs/hal/hal_intf.c      | 11 ----------
 .../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 21 ++-----------------
 drivers/staging/rtl8723bs/include/hal_intf.h  |  3 ---
 .../staging/rtl8723bs/include/rtl8723b_hal.h  |  3 ---
 .../staging/rtl8723bs/os_dep/ioctl_cfg80211.c |  4 +++-
 drivers/staging/rtl8723bs/os_dep/os_intfs.c   | 16 ++++++++++++--
 6 files changed, 19 insertions(+), 39 deletions(-)

-- 
2.50.1

[PATCH v3 1/3] staging: rtl8723bs: fix firmware memory leak on error

[Samasth Norway Ananda]

After successfully calling request_firmware(), if the firmware size
check fails or if kmemdup() fails, the code jumps to the exit label
without calling release_firmware(), causing a memory leak. Call
release_firmware() directly in each error path before jumping to cleanup
label.

Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
index 054e2c2eab02..528bc05169de 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
@@ -346,12 +346,14 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool  bUsedWoWLANFw)
 
 	if (fw->size > FW_8723B_SIZE) {
 		rtStatus = _FAIL;
+		release_firmware(fw);
 		goto exit;
 	}
 
 	pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
 	if (!pFirmware->fw_buffer_sz) {
 		rtStatus = _FAIL;
+		release_firmware(fw);
 		goto exit;
 	}
 
-- 
2.50.1

[PATCH v3 2/3] staging: rtl8723bs: fix memory leak in rtw_cfg80211_inform_bss()

[Samasth Norway Ananda]

After successfully allocating buf with kzalloc(), if
cfg80211_inform_bss_frame() returns NULL, the code jumps to the exit
label without freeing buf, causing a memory leak. Add kfree(buf) before
the goto to properly free the buffer in this error case.

Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 60edeae1cffe..d80e23cfdf8d 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -314,8 +314,10 @@ struct cfg80211_bss *rtw_cfg80211_inform_bss(struct adapter *padapter, struct wl
 	bss = cfg80211_inform_bss_frame(wiphy, notify_channel, (struct ieee80211_mgmt *)buf,
 					len, notify_signal, GFP_ATOMIC);
 
-	if (unlikely(!bss))
+	if (unlikely(!bss)) {
+		kfree(buf);
 		goto exit;
+	}
 
 	cfg80211_put_bss(wiphy, bss);
 	kfree(buf);
-- 
2.50.1

[PATCH v3 3/3] staging: rtl8723bs: remove thread wraper functions and add IS_ERR() check

[Samasth Norway Ananda]

The rtl8723b_start_thread() and rtl8723b_stop_thread() functions are
wrappers that are only called from one place each. Remove these wrapper
functions and inline the thread handling directly in
rtw_start_drv_threads() and rtw_stop_drv_threads().

This also fixes a bug where kthread_run() was not checked for errors
using IS_ERR(). kthread_run() returns ERR_PTR(-ENOMEM) on failure, not
NULL. Without this check, the SdioXmitThread pointer could contain an
error value, causing issues when rtw_stop_drv_threads() later attempts
to use it.

The inlined code now follows the same pattern as xmitThread and
cmdThread in rtw_start_drv_threads(), with proper IS_ERR() checking.

Suggested-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
---
 drivers/staging/rtl8723bs/hal/hal_intf.c      | 11 -----------
 .../staging/rtl8723bs/hal/rtl8723b_hal_init.c | 19 -------------------
 drivers/staging/rtl8723bs/include/hal_intf.h  |  3 ---
 .../staging/rtl8723bs/include/rtl8723b_hal.h  |  3 ---
 drivers/staging/rtl8723bs/os_dep/os_intfs.c   | 16 ++++++++++++++--
 5 files changed, 14 insertions(+), 38 deletions(-)

diff --git a/drivers/staging/rtl8723bs/hal/hal_intf.c b/drivers/staging/rtl8723bs/hal/hal_intf.c
index 462553d296ff..f55b99f92691 100644
--- a/drivers/staging/rtl8723bs/hal/hal_intf.c
+++ b/drivers/staging/rtl8723bs/hal/hal_intf.c
@@ -218,17 +218,6 @@ void rtw_hal_add_ra_tid(struct adapter *padapter, u32 bitmap, u8 *arg, u8 rssi_l
 	rtl8723b_Add_RateATid(padapter, bitmap, arg, rssi_level);
 }
 
-/*Start specifical interface thread		*/
-void rtw_hal_start_thread(struct adapter *padapter)
-{
-	rtl8723b_start_thread(padapter);
-}
-/*Start specifical interface thread		*/
-void rtw_hal_stop_thread(struct adapter *padapter)
-{
-	rtl8723b_stop_thread(padapter);
-}
-
 u32 rtw_hal_read_bbreg(struct adapter *padapter, u32 RegAddr, u32 BitMask)
 {
 	return PHY_QueryBBReg_8723B(padapter, RegAddr, BitMask);
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
index 528bc05169de..3a8062d31175 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
@@ -2916,22 +2916,3 @@ u8 GetHalDefVar8723B(struct adapter *padapter, enum hal_def_variable variable, v
 
 	return bResult;
 }
-
-void rtl8723b_start_thread(struct adapter *padapter)
-{
-	struct xmit_priv *xmitpriv = &padapter->xmitpriv;
-
-	xmitpriv->SdioXmitThread = kthread_run(rtl8723bs_xmit_thread, padapter, "RTWHALXT");
-}
-
-void rtl8723b_stop_thread(struct adapter *padapter)
-{
-	struct xmit_priv *xmitpriv = &padapter->xmitpriv;
-
-	/*  stop xmit_buf_thread */
-	if (xmitpriv->SdioXmitThread) {
-		complete(&xmitpriv->SdioXmitStart);
-		wait_for_completion(&xmitpriv->SdioXmitTerminate);
-		xmitpriv->SdioXmitThread = NULL;
-	}
-}
diff --git a/drivers/staging/rtl8723bs/include/hal_intf.h b/drivers/staging/rtl8723bs/include/hal_intf.h
index 82b60899129d..b193854bfe6e 100644
--- a/drivers/staging/rtl8723bs/include/hal_intf.h
+++ b/drivers/staging/rtl8723bs/include/hal_intf.h
@@ -221,9 +221,6 @@ void rtw_hal_free_recv_priv(struct adapter *padapter);
 void rtw_hal_update_ra_mask(struct sta_info *psta, u8 rssi_level);
 void rtw_hal_add_ra_tid(struct adapter *padapter, u32 bitmap, u8 *arg, u8 rssi_level);
 
-void rtw_hal_start_thread(struct adapter *padapter);
-void rtw_hal_stop_thread(struct adapter *padapter);
-
 void beacon_timing_control(struct adapter *padapter);
 
 u32 rtw_hal_read_bbreg(struct adapter *padapter, u32 RegAddr, u32 BitMask);
diff --git a/drivers/staging/rtl8723bs/include/rtl8723b_hal.h b/drivers/staging/rtl8723bs/include/rtl8723b_hal.h
index 06e0a549fa9d..7ec84304a19e 100644
--- a/drivers/staging/rtl8723bs/include/rtl8723b_hal.h
+++ b/drivers/staging/rtl8723bs/include/rtl8723b_hal.h
@@ -231,9 +231,6 @@ void rtl8723b_InitBeaconParameters(struct adapter *padapter);
 void _InitBurstPktLen_8723BS(struct adapter *adapter);
 void _8051Reset8723(struct adapter *padapter);
 
-void rtl8723b_start_thread(struct adapter *padapter);
-void rtl8723b_stop_thread(struct adapter *padapter);
-
 int FirmwareDownloadBT(struct adapter *adapter, struct rt_firmware *firmware);
 
 void CCX_FwC2HTxRpt_8723b(struct adapter *padapter, u8 *pdata, u8 len);
diff --git a/drivers/staging/rtl8723bs/os_dep/os_intfs.c b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
index bc02db13781c..6080cdc2a096 100644
--- a/drivers/staging/rtl8723bs/os_dep/os_intfs.c
+++ b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
@@ -6,6 +6,7 @@
  ******************************************************************************/
 #include <drv_types.h>
 #include <hal_data.h>
+#include <rtl8723b_xmit.h>
 
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Realtek Wireless Lan Driver");
@@ -480,7 +481,13 @@ u32 rtw_start_drv_threads(struct adapter *padapter)
 	else
 		wait_for_completion(&padapter->cmdpriv.terminate_cmdthread_comp); /* wait for cmd_thread to run */
 
-	rtw_hal_start_thread(padapter);
+	padapter->xmitpriv.SdioXmitThread = kthread_run(rtl8723bs_xmit_thread,
+							padapter, "RTWHALXT");
+	if (IS_ERR(padapter->xmitpriv.SdioXmitThread)) {
+		padapter->xmitpriv.SdioXmitThread = NULL;
+		_status = _FAIL;
+	}
+
 	return _status;
 }
 
@@ -492,7 +499,12 @@ void rtw_stop_drv_threads(struct adapter *padapter)
 	complete(&padapter->xmitpriv.xmit_comp);
 	wait_for_completion(&padapter->xmitpriv.terminate_xmitthread_comp);
 
-	rtw_hal_stop_thread(padapter);
+	/* stop SdioXmitThread */
+	if (padapter->xmitpriv.SdioXmitThread) {
+		complete(&padapter->xmitpriv.SdioXmitStart);
+		wait_for_completion(&padapter->xmitpriv.SdioXmitTerminate);
+		padapter->xmitpriv.SdioXmitThread = NULL;
+	}
 }
 
 static void rtw_init_default_value(struct adapter *padapter)
-- 
2.50.1

Re: [PATCH v3 2/3] staging: rtl8723bs: fix memory leak in rtw_cfg80211_inform_bss()

[Greg KH]

On Thu, Jan 29, 2026 at 04:16:40PM -0800, Samasth Norway Ananda wrote:
> After successfully allocating buf with kzalloc(), if
> cfg80211_inform_bss_frame() returns NULL, the code jumps to the exit
> label without freeing buf, causing a memory leak. Add kfree(buf) before
> the goto to properly free the buffer in this error case.
> 
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>  drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> index 60edeae1cffe..d80e23cfdf8d 100644
> --- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
> @@ -314,8 +314,10 @@ struct cfg80211_bss *rtw_cfg80211_inform_bss(struct adapter *padapter, struct wl
>  	bss = cfg80211_inform_bss_frame(wiphy, notify_channel, (struct ieee80211_mgmt *)buf,
>  					len, notify_signal, GFP_ATOMIC);
>  
> -	if (unlikely(!bss))
> +	if (unlikely(!bss)) {
> +		kfree(buf);
>  		goto exit;
> +	}

This is already fixed in my tree, what branch did you make this against?

Always work against linux-next at the least, ideally against the proper
subsystem developer tree as documented in the MAINTAINERS file.

thanks,

greg k-h