Re: [PATCH ath] wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions

Re: [PATCH ath] wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions

[Jeff Johnson]

On 4/22/2026 9:32 AM, Nicolas Escande wrote:
> Some wmi functions were using plain 'return ath12k_wmi_cmd_send(...)'
> without explicitly handling the error code. This leads to leaking the skb
> in case of error.
> 
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00218-QCAHKSWPL_SILICONZ-1
> 
> Fixes: 66a9448b1b89 ("wifi: ath12k: implement hardware data filter")
> Fixes: 593174170919 ("wifi: ath12k: implement WoW enable and wakeup commands")
> Fixes: 4a3c212eee0e ("wifi: ath12k: add basic WoW functionalities")
> Fixes: 16f474d6d49d ("wifi: ath12k: add WoW net-detect functionality")
> Fixes: 1666108c74c4 ("wifi: ath12k: support ARP and NS offload")
> Fixes: aab4ae566fa1 ("wifi: ath12k: support GTK rekey offload")
> Fixes: 7af01e569529 ("wifi: ath12k: handle keepalive during WoWLAN suspend and resume")

@Stable team:

are you OK with one patch that fixes a bunch of places, or would you prefer a
separate patch per fixed commit?

/jeff

> Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
> ---
>  drivers/net/wireless/ath/ath12k/wmi.c | 103 ++++++++++++++++++++++----
>  1 file changed, 88 insertions(+), 15 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
> index 65a05a9520ff..75c87edd2a8a 100644
> --- a/drivers/net/wireless/ath/ath12k/wmi.c
> +++ b/drivers/net/wireless/ath/ath12k/wmi.c
> @@ -10251,7 +10251,7 @@ int ath12k_wmi_hw_data_filter_cmd(struct ath12k *ar, struct wmi_hw_data_filter_a
>  {
>  	struct wmi_hw_data_filter_cmd *cmd;
>  	struct sk_buff *skb;
> -	int len;
> +	int ret, len;
>  
>  	len = sizeof(*cmd);
>  	skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10275,7 +10275,13 @@ int ath12k_wmi_hw_data_filter_cmd(struct ath12k *ar, struct wmi_hw_data_filter_a
>  		   "wmi hw data filter enable %d filter_bitmap 0x%x\n",
>  		   arg->enable, arg->hw_filter_bitmap);
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_HW_DATA_FILTER_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_HW_DATA_FILTER_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_HW_DATA_FILTER_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_wow_host_wakeup_ind(struct ath12k *ar)
> @@ -10283,6 +10289,7 @@ int ath12k_wmi_wow_host_wakeup_ind(struct ath12k *ar)
>  	struct wmi_wow_host_wakeup_cmd *cmd;
>  	struct sk_buff *skb;
>  	size_t len;
> +	int ret;
>  
>  	len = sizeof(*cmd);
>  	skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10295,14 +10302,20 @@ int ath12k_wmi_wow_host_wakeup_ind(struct ath12k *ar)
>  
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow host wakeup ind\n");
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_wow_enable(struct ath12k *ar)
>  {
>  	struct wmi_wow_enable_cmd *cmd;
>  	struct sk_buff *skb;
> -	int len;
> +	int ret, len;
>  
>  	len = sizeof(*cmd);
>  	skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10317,7 +10330,13 @@ int ath12k_wmi_wow_enable(struct ath12k *ar)
>  	cmd->pause_iface_config = cpu_to_le32(WOW_IFACE_PAUSE_ENABLED);
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow enable\n");
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_wow_add_wakeup_event(struct ath12k *ar, u32 vdev_id,
> @@ -10327,6 +10346,7 @@ int ath12k_wmi_wow_add_wakeup_event(struct ath12k *ar, u32 vdev_id,
>  	struct wmi_wow_add_del_event_cmd *cmd;
>  	struct sk_buff *skb;
>  	size_t len;
> +	int ret;
>  
>  	len = sizeof(*cmd);
>  	skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10343,7 +10363,13 @@ int ath12k_wmi_wow_add_wakeup_event(struct ath12k *ar, u32 vdev_id,
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow add wakeup event %s enable %d vdev_id %d\n",
>  		   wow_wakeup_event(event), enable, vdev_id);
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_wow_add_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id,
> @@ -10356,6 +10382,7 @@ int ath12k_wmi_wow_add_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id,
>  	struct sk_buff *skb;
>  	void *ptr;
>  	size_t len;
> +	int ret;
>  
>  	len = sizeof(*cmd) +
>  	      sizeof(*tlv) +			/* array struct */
> @@ -10435,7 +10462,13 @@ int ath12k_wmi_wow_add_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id,
>  	ath12k_dbg_dump(ar->ab, ATH12K_DBG_WMI, NULL, "wow bitmask: ",
>  			bitmap->bitmaskbuf, pattern_len);
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ADD_WAKE_PATTERN_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_ADD_WAKE_PATTERN_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_WOW_ADD_WAKE_PATTERN_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_wow_del_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id)
> @@ -10443,6 +10476,7 @@ int ath12k_wmi_wow_del_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id)
>  	struct wmi_wow_del_pattern_cmd *cmd;
>  	struct sk_buff *skb;
>  	size_t len;
> +	int ret;
>  
>  	len = sizeof(*cmd);
>  	skb = ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10459,7 +10493,13 @@ int ath12k_wmi_wow_del_pattern(struct ath12k *ar, u32 vdev_id, u32 pattern_id)
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "wmi tlv wow del pattern vdev_id %d pattern_id %d\n",
>  		   vdev_id, pattern_id);
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_DEL_WAKE_PATTERN_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_WOW_DEL_WAKE_PATTERN_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_WOW_DEL_WAKE_PATTERN_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  static struct sk_buff *
> @@ -10595,6 +10635,7 @@ int ath12k_wmi_wow_config_pno(struct ath12k *ar, u32 vdev_id,
>  			      struct wmi_pno_scan_req_arg  *pno_scan)
>  {
>  	struct sk_buff *skb;
> +	int ret;
>  
>  	if (pno_scan->enable)
>  		skb = ath12k_wmi_op_gen_config_pno_start(ar, vdev_id, pno_scan);
> @@ -10604,7 +10645,13 @@ int ath12k_wmi_wow_config_pno(struct ath12k *ar, u32 vdev_id,
>  	if (IS_ERR_OR_NULL(skb))
>  		return -ENOMEM;
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_NETWORK_LIST_OFFLOAD_CONFIG_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  static void ath12k_wmi_fill_ns_offload(struct ath12k *ar,
> @@ -10717,6 +10764,7 @@ int ath12k_wmi_arp_ns_offload(struct ath12k *ar,
>  	void *buf_ptr;
>  	size_t len;
>  	u8 ns_cnt, ns_ext_tuples = 0;
> +	int ret;
>  
>  	ns_cnt = offload->ipv6_count;
>  
> @@ -10752,7 +10800,13 @@ int ath12k_wmi_arp_ns_offload(struct ath12k *ar,
>  	if (ns_ext_tuples)
>  		ath12k_wmi_fill_ns_offload(ar, offload, &buf_ptr, enable, 1);
>  
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_SET_ARP_NS_OFFLOAD_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_SET_ARP_NS_OFFLOAD_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_SET_ARP_NS_OFFLOAD_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_gtk_rekey_offload(struct ath12k *ar,
> @@ -10762,7 +10816,7 @@ int ath12k_wmi_gtk_rekey_offload(struct ath12k *ar,
>  	struct wmi_gtk_rekey_offload_cmd *cmd;
>  	struct sk_buff *skb;
>  	__le64 replay_ctr;
> -	int len;
> +	int ret, len;
>  
>  	len = sizeof(*cmd);
>  	skb =  ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10789,7 +10843,13 @@ int ath12k_wmi_gtk_rekey_offload(struct ath12k *ar,
>  
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "offload gtk rekey vdev: %d %d\n",
>  		   arvif->vdev_id, enable);
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_GTK_OFFLOAD_CMDID offload\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_gtk_rekey_getinfo(struct ath12k *ar,
> @@ -10797,7 +10857,7 @@ int ath12k_wmi_gtk_rekey_getinfo(struct ath12k *ar,
>  {
>  	struct wmi_gtk_rekey_offload_cmd *cmd;
>  	struct sk_buff *skb;
> -	int len;
> +	int ret, len;
>  
>  	len = sizeof(*cmd);
>  	skb =  ath12k_wmi_alloc_skb(ar->wmi->wmi_ab, len);
> @@ -10811,7 +10871,13 @@ int ath12k_wmi_gtk_rekey_getinfo(struct ath12k *ar,
>  
>  	ath12k_dbg(ar->ab, ATH12K_DBG_WMI, "get gtk rekey vdev_id: %d\n",
>  		   arvif->vdev_id);
> -	return ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID);
> +	ret = ath12k_wmi_cmd_send(ar->wmi, skb, WMI_GTK_OFFLOAD_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_GTK_OFFLOAD_CMDID getinfo\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_sta_keepalive(struct ath12k *ar,
> @@ -10822,6 +10888,7 @@ int ath12k_wmi_sta_keepalive(struct ath12k *ar,
>  	struct wmi_sta_keepalive_cmd *cmd;
>  	struct sk_buff *skb;
>  	size_t len;
> +	int ret;
>  
>  	len = sizeof(*cmd) + sizeof(*arp);
>  	skb = ath12k_wmi_alloc_skb(wmi->wmi_ab, len);
> @@ -10849,7 +10916,13 @@ int ath12k_wmi_sta_keepalive(struct ath12k *ar,
>  		   "wmi sta keepalive vdev %d enabled %d method %d interval %d\n",
>  		   arg->vdev_id, arg->enabled, arg->method, arg->interval);
>  
> -	return ath12k_wmi_cmd_send(wmi, skb, WMI_STA_KEEPALIVE_CMDID);
> +	ret = ath12k_wmi_cmd_send(wmi, skb, WMI_STA_KEEPALIVE_CMDID);
> +	if (ret) {
> +		ath12k_warn(ar->ab, "failed to send WMI_STA_KEEPALIVE_CMDID\n");
> +		dev_kfree_skb(skb);
> +	}
> +
> +	return ret;
>  }
>  
>  int ath12k_wmi_mlo_setup(struct ath12k *ar, struct wmi_mlo_setup_arg *mlo_params)

Re: [PATCH ath] wifi: ath12k: fix leak in some ath12k_wmi_xxx() functions

[Greg KH]

On Wed, Apr 22, 2026 at 05:08:59PM -0700, Jeff Johnson wrote:
> On 4/22/2026 9:32 AM, Nicolas Escande wrote:
> > Some wmi functions were using plain 'return ath12k_wmi_cmd_send(...)'
> > without explicitly handling the error code. This leads to leaking the skb
> > in case of error.
> > 
> > Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00218-QCAHKSWPL_SILICONZ-1
> > 
> > Fixes: 66a9448b1b89 ("wifi: ath12k: implement hardware data filter")
> > Fixes: 593174170919 ("wifi: ath12k: implement WoW enable and wakeup commands")
> > Fixes: 4a3c212eee0e ("wifi: ath12k: add basic WoW functionalities")
> > Fixes: 16f474d6d49d ("wifi: ath12k: add WoW net-detect functionality")
> > Fixes: 1666108c74c4 ("wifi: ath12k: support ARP and NS offload")
> > Fixes: aab4ae566fa1 ("wifi: ath12k: support GTK rekey offload")
> > Fixes: 7af01e569529 ("wifi: ath12k: handle keepalive during WoWLAN suspend and resume")
> 
> @Stable team:
> 
> are you OK with one patch that fixes a bunch of places, or would you prefer a
> separate patch per fixed commit?

I do not understand, we take what is in Linus's tree, so the same rules
apply here.  If the patch should be broken up for Linus's tree, that's
good for us in stable.  If it is one "big" one, then you have to deal
with the fall-out if it doesn't apply to all relevant stable releases by
providing a working backport for us :)

thanks,

greg k-h