From: Dylan Eskew <dylan.eskew@candelatech.com>
To: Lorenzo Bianconi <lorenzo@kernel.org>,
Felix Fietkau <nbd@nbd.name>, Ryder Lee <ryder.lee@mediatek.com>,
Shayne Chen <shayne.chen@mediatek.com>,
Sean Wang <sean.wang@mediatek.com>,
Matthias Brugger <matthias.bgg@gmail.com>,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@collabora.com>
Cc: linux-wireless@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-mediatek@lists.infradead.org
Subject: Re: [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb()
Date: Tue, 2 Jun 2026 11:58:32 -0700 [thread overview]
Message-ID: <80ff2108-dce3-4060-a8d0-59740979a99a@candelatech.com> (raw)
In-Reply-To: <20260531-mt7996_tx_prepare_skb-token-leack-v1-1-2b9c9f59ceb1@kernel.org>
Hi Lore,
We have been seeing the token memory leak in our custom kernel. After
pulling your patch in, we are still getting the leak (validated with
kmemleak). How did you figure out where this potential leak was? I want
to determine if we are leaking because of our changes or if there's more
areas for token leakage.
-- Dylan
On 5/31/26 2:10 AM, Lorenzo Bianconi wrote:
> If link_conf or link_sta lookup fails in mt7996_tx_prepare_skb routine,
> mt7996 driver leaks an already allocated tx token. Fix the issue
> releasing the token in case of error.
>
> Fixes: 7ef0c7ad735b0 ("wifi: mt76: mt7996: Implement MLD address translation for EAPOL")
> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> ---
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
> drivers/net/wireless/mediatek/mt76/tx.c | 2 +-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index c98446057282..8c56344d211b 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1067,11 +1067,11 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
>
> link_conf = rcu_dereference(vif->link_conf[wcid->link_id]);
> if (!link_conf)
> - return -EINVAL;
> + goto error_relase_token;
>
> link_sta = rcu_dereference(sta->link[wcid->link_id]);
> if (!link_sta)
> - return -EINVAL;
> + goto error_relase_token;
>
> dma_sync_single_for_cpu(mdev->dma_dev, tx_info->buf[1].addr,
> tx_info->buf[1].len, DMA_TO_DEVICE);
> @@ -1176,6 +1176,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
> tx_info->nbuf = MT_CT_DMA_BUF_NUM;
>
> return 0;
> +
> +error_relase_token:
> + mt76_token_release(mdev, id, NULL);
> + return -EINVAL;
> }
>
> u32 mt7996_wed_init_buf(void *ptr, dma_addr_t phys, int token_id)
> diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
> index 22f9690634c9..f96d9c471853 100644
> --- a/drivers/net/wireless/mediatek/mt76/tx.c
> +++ b/drivers/net/wireless/mediatek/mt76/tx.c
> @@ -933,7 +933,7 @@ mt76_token_release(struct mt76_dev *dev, int token, bool *wake)
> #endif
> }
>
> - if (dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> + if (wake && dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> dev->phy.q_tx[0]->blocked)
> *wake = true;
>
>
> ---
> base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
> change-id: 20260531-mt7996_tx_prepare_skb-token-leack-82e240d8c66f
>
> Best regards,
next prev parent reply other threads:[~2026-06-02 19:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-31 9:10 [PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb() Lorenzo Bianconi
2026-06-02 18:58 ` Dylan Eskew [this message]
2026-06-03 7:09 ` Lorenzo Bianconi
2026-06-03 15:43 ` Dylan Eskew
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=80ff2108-dce3-4060-a8d0-59740979a99a@candelatech.com \
--to=dylan.eskew@candelatech.com \
--cc=angelogioacchino.delregno@collabora.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
--cc=lorenzo@kernel.org \
--cc=matthias.bgg@gmail.com \
--cc=nbd@nbd.name \
--cc=ryder.lee@mediatek.com \
--cc=sean.wang@mediatek.com \
--cc=shayne.chen@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox