lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e40bc0798fdb48c7919d3954803a7751@realtek.com>
Date: Thu, 28 Aug 2025 08:25:40 +0000
From: Zong-Zhe Yang <kevin_yang@...ltek.com>
To: Fedor Pchelkin <pchelkin@...ras.ru>, Ping-Ke Shih <pkshih@...ltek.com>
CC: Bernie Huang <phhuang@...ltek.com>,
        "linux-wireless@...r.kernel.org"
	<linux-wireless@...r.kernel.org>,
        "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>,
        "lvc-project@...uxtesting.org"
	<lvc-project@...uxtesting.org>
Subject: RE: [PATCH rtw v2 3/4] wifi: rtw89: fix leak in rtw89_core_send_nullfunc()

Fedor Pchelkin <pchelkin@...ras.ru> wrote:
> If there is no rtwsta_link found in rtw89_core_send_nullfunc(), allocated skb is leaked.  Free
> it on the error handling path.
> 
> Found by Linux Verification Center (linuxtesting.org).
> 
> Fixes: a8ba4acab7db ("wifi: rtw89: send nullfunc based on the given link")
> Signed-off-by: Fedor Pchelkin <pchelkin@...ras.ru>
> ---
>  drivers/net/wireless/realtek/rtw89/core.c | 13 +++++++------
>  1 file changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/net/wireless/realtek/rtw89/core.c
> b/drivers/net/wireless/realtek/rtw89/core.c
> index 28bbc898b95e..e498c08151d5 100644
> --- a/drivers/net/wireless/realtek/rtw89/core.c
> +++ b/drivers/net/wireless/realtek/rtw89/core.c
> @@ -3454,14 +3454,14 @@ int rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct
> rtw89_vif_link *rt
>         sta = ieee80211_find_sta(vif, vif->cfg.ap_addr);
>         if (!sta) {
>                 ret = -EINVAL;
> -               goto out;
> +               goto out_unlock;
>         }
>         rtwsta = sta_to_rtwsta(sta);
> 
>         skb = ieee80211_nullfunc_get(rtwdev->hw, vif, link_id, qos);
>         if (!skb) {
>                 ret = -ENOMEM;
> -               goto out;
> +               goto out_unlock;
>         }
> 
>         hdr = (struct ieee80211_hdr *)skb->data; @@ -3471,22 +3471,23 @@ int
> rtw89_core_send_nullfunc(struct rtw89_dev *rtwdev, struct rtw89_vif_link *rt
>         rtwsta_link = rtwsta->links[rtwvif_link->link_id];
>         if (unlikely(!rtwsta_link)) {
>                 ret = -ENOLINK;
> -               goto out;
> +               goto out_free_skb;
>         }

How about just adding dev_kfree_skb_any(skb) here ?

> 
>         ret = rtw89_core_tx_write_link(rtwdev, rtwvif_link, rtwsta_link, skb, &qsel, true,
>                                        wait);
>         if (ret) {
>                 rtw89_warn(rtwdev, "nullfunc transmit failed: %d\n", ret);
> -               dev_kfree_skb_any(skb);
> -               goto out;
> +               goto out_free_skb;
>         }
> 
>         rcu_read_unlock();
> 
>         return rtw89_core_tx_kick_off_and_wait(rtwdev, skb, qsel,
>                                                timeout);
> -out:
> +out_free_skb:
> +       dev_kfree_skb_any(skb);
> +out_unlock:
>         rcu_read_unlock();
>         kfree(wait);
> 
> --
> 2.50.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ