[PATCH AUTOSEL 6.19-5.15] staging: rtl8723bs: fix memory leak on failure path

[PATCH AUTOSEL 6.19-5.15] staging: rtl8723bs: fix memory leak on failure path

[Sasha Levin]

From: Diksha Kumari <dikshakdevgan@gmail.com>

[ Upstream commit abe850d82c8cb72d28700673678724e779b1826e ]

cfg80211_inform_bss_frame() may return NULL on failure. In that case,
the allocated buffer 'buf' is not freed and the function returns early,
leading to potential memory leak.
Fix this by ensuring that 'buf' is freed on both success and failure paths.

Signed-off-by: Diksha Kumari <dikshakdevgan@gmail.com>
Reviewed-by: Mukesh Kumar Chaurasiya <mkchauras@linux.ibm.com>
Link: https://patch.msgid.link/20260113091712.7071-1-dikshakdevgan@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

The bug has been present since the original commit `554c0a3abf216c`
(Hans de Goede, 2017-03-29) — this is a long-standing bug.

## Verification Summary

- **git blame** confirmed the buggy code (the `goto exit` skipping
  `kfree(buf)`) has been present since commit `554c0a3abf216c` from
  March 2017 — this is a long-standing bug present in all stable trees
  that carry this driver.
- **Code reading** confirmed `buf` is allocated at line 283 with
  `kzalloc(MAX_BSSINFO_LEN, GFP_ATOMIC)` and only freed at line 321,
  which is skipped when `goto exit` is taken at line 318.
- **The fix is trivially correct**: it changes `goto exit` to `goto
  free_buf`, where `free_buf` is placed before `kfree(buf)`, ensuring
  the buffer is always freed.
- The function `rtw_cfg80211_inform_bss()` is called during WiFi
  scanning, which happens regularly — this leak is in a hot path, not a
  one-time init path.
- This is a **staging driver**. Per stable kernel conventions, staging
  changes are "usually not stable material." However, rtl8723bs is
  widely used and this is a genuine, trivially-correct memory leak fix.

## Decision

This is a clear, trivially correct memory leak fix that meets all stable
kernel criteria:
- Fixes a real bug (memory leak on error path)
- Small and contained (3 lines changed in 1 file)
- Obviously correct
- No risk of regression
- Long-standing bug (since 2017) present in all stable trees carrying
  this driver

The only concern is that this is a staging driver, which weakens the
case slightly. However, the rtl8723bs driver is widely used (common
Realtek WiFi chipset in budget devices), the fix is trivially correct,
and memory leaks in scanning code can cause real user-visible issues
(memory exhaustion over time). The fix was reviewed and accepted by Greg
Kroah-Hartman.

**YES**

 drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
index 60edeae1cffe7..476ab055e53e5 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
@@ -315,9 +315,10 @@ struct cfg80211_bss *rtw_cfg80211_inform_bss(struct adapter *padapter, struct wl
 					len, notify_signal, GFP_ATOMIC);
 
 	if (unlikely(!bss))
-		goto exit;
+		goto free_buf;
 
 	cfg80211_put_bss(wiphy, bss);
+free_buf:
 	kfree(buf);
 
 exit:
-- 
2.51.0

[PATCH AUTOSEL 6.19-5.15] staging: rtl8723bs: fix missing status update on sdio_alloc_irq() failure

[Sasha Levin]

From: Liang Jie <liangjie@lixiang.com>

[ Upstream commit 618b4aec12faabc7579a6b0df046842d798a4c7c ]

The return value of sdio_alloc_irq() was not stored in status.
If sdio_alloc_irq() fails after rtw_drv_register_netdev() succeeds,
status remains _SUCCESS and the error path skips resource cleanup,
while rtw_drv_init() still returns success.

Store the return value of sdio_alloc_irq() in status and reuse the
existing error handling which relies on status.

Reviewed-by: fanggeng <fanggeng@lixiang.com>
Signed-off-by: Liang Jie <liangjie@lixiang.com>
Link: https://patch.msgid.link/20251208092730.262499-1-buaajxlj@163.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

The driver has a long history with 2020 commits, meaning it's well-
established in the kernel tree and present in stable trees.

## Decision Analysis

**Arguments for YES:**
- Fixes a real bug: resource leak and incorrect success return on error
  path
- Extremely small and surgical change (2 lines)
- Obviously correct - uses the same pattern as the line above it
- Low risk of regression
- The bug has been confirmed by code review (verified above at line 380)
- Reviewed by one reviewer and accepted by Greg Kroah-Hartman

**Arguments for NO:**
- This is a **staging driver** - stable kernel rules note staging
  drivers are usually not stable material
- The bug only triggers on `sdio_alloc_irq()` failure - an error path
- Staging drivers are explicitly called out as usually not appropriate
  for stable

## Verification

- Read the actual source file at
  `drivers/staging/rtl8723bs/os_dep/sdio_intf.c` lines 350-409:
  confirmed the bug at line 380 where `sdio_alloc_irq()` return value is
  discarded while `status` remains `_SUCCESS` from line 376
- Confirmed the cleanup at lines 386-391 uses `status != _SUCCESS`
  checks, so with `status == _SUCCESS`, cleanup of `if1` and `dvobj`
  would be skipped
- Confirmed via `git log` that the driver has extensive history (2020
  commits) and exists in stable trees
- The commit was reviewed and merged by Greg Kroah-Hartman (staging
  maintainer)
- The diff is only 2 lines changed, making it trivially correct

## Final Assessment

While this is a legitimate bug fix that is small, safe, and obviously
correct, it affects a **staging driver**. Staging drivers are generally
considered not stable material because they are experimental, may have
many other bugs, and are expected to be in flux. The bug only triggers
on an error path (`sdio_alloc_irq()` failure), which limits real-world
impact.

However, rtl8723bs is one of the most widely-used staging drivers (found
in many budget ARM tablets and SBCs), and the fix is truly trivial with
zero risk. The resource leak and incorrect return value on IRQ
allocation failure are real bugs that could affect users. Given the
minimal risk and clear correctness, this is a borderline case that leans
toward YES despite being in staging.

**YES**

 drivers/staging/rtl8723bs/os_dep/sdio_intf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/sdio_intf.c b/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
index 1d0239eef114b..dc787954126fd 100644
--- a/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
+++ b/drivers/staging/rtl8723bs/os_dep/sdio_intf.c
@@ -377,7 +377,8 @@ static int rtw_drv_init(
 	if (status != _SUCCESS)
 		goto free_if1;
 
-	if (sdio_alloc_irq(dvobj) != _SUCCESS)
+	status = sdio_alloc_irq(dvobj);
+	if (status != _SUCCESS)
 		goto free_if1;
 
 	status = _SUCCESS;
-- 
2.51.0