| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <a4ffdfc7-5eee-4c00-9ad2-00f3088f0d42@oss.qualcomm.com>
Date: Fri, 30 Jan 2026 18:32:16 +0800
From: Baochen Qiang <baochen.qiang@....qualcomm.com>
To: Zilin Guan <zilin@....edu.cn>, jeff.johnson@....qualcomm.com
Cc: ath11k@...ts.infradead.org, jianhao.xu@....edu.cn, jjohnson@...nel.org,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org
Subject: Re: [PATCH v3] wifi: ath11k: fix memory leaks in beacon template
setup
On 1/30/2026 4:44 PM, Zilin Guan wrote:
> The functions ath11k_mac_setup_bcn_tmpl_ema() and
> ath11k_mac_setup_bcn_tmpl_mbssid() allocate memory for beacon templates
> but fail to free it when parameter setup returns an error.
>
> Since beacon templates must be released during normal execution, they
> must also be released in the error handling paths to prevent memory
> leaks.
>
> Fix this by using unified exit paths with proper cleanup in the respective
> error paths.
>
> Compile tested only. Issue found using a prototype static analysis tool
> and code review.
>
> Fixes: 3a415daa3e8b ("wifi: ath11k: add P2P IE in beacon template")
> Fixes: 335a92765d30 ("wifi: ath11k: MBSSID beacon support")
> Suggested-by: Baochen Qiang <baochen.qiang@....qualcomm.com>
> Signed-off-by: Zilin Guan <zilin@....edu.cn>
> ---
> Changes in v3:
> - Add goto path for the beacons->cnt check for strict logical consistency.
>
> Changes in v2:
> - Use unified exit paths for cleanup.
>
> drivers/net/wireless/ath/ath11k/mac.c | 28 ++++++++++++++++-----------
> 1 file changed, 17 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
> index 4dfd08b58416..e872f416ea97 100644
> --- a/drivers/net/wireless/ath/ath11k/mac.c
> +++ b/drivers/net/wireless/ath/ath11k/mac.c
> @@ -1557,12 +1557,15 @@ static int ath11k_mac_setup_bcn_tmpl_ema(struct ath11k_vif *arvif,
> if (!beacons || !beacons->cnt) {
> ath11k_warn(arvif->ar->ab,
> "failed to get ema beacon templates from mac80211\n");
> - return -EPERM;
> + ret = -EPERM;
> + goto free;
> }
>
> if (tx_arvif == arvif) {
> - if (ath11k_mac_set_vif_params(tx_arvif, beacons->bcn[0].skb))
> - return -EINVAL;
> + if (ath11k_mac_set_vif_params(tx_arvif, beacons->bcn[0].skb)) {
> + ret = -EINVAL;
> + goto free;
> + }
> } else {
> arvif->wpaie_present = tx_arvif->wpaie_present;
> }
> @@ -1589,11 +1592,11 @@ static int ath11k_mac_setup_bcn_tmpl_ema(struct ath11k_vif *arvif,
> }
> }
>
> - ieee80211_beacon_free_ema_list(beacons);
> -
> if (tx_arvif != arvif && !nontx_vif_params_set)
> - return -EINVAL; /* Profile not found in the beacons */
> + ret = -EINVAL; /* Profile not found in the beacons */
>
> +free:
> + ieee80211_beacon_free_ema_list(beacons);
> return ret;
> }
>
> @@ -1622,19 +1625,22 @@ static int ath11k_mac_setup_bcn_tmpl_mbssid(struct ath11k_vif *arvif,
> }
>
> if (tx_arvif == arvif) {
> - if (ath11k_mac_set_vif_params(tx_arvif, bcn))
> - return -EINVAL;
> + if (ath11k_mac_set_vif_params(tx_arvif, bcn)) {
> + ret = -EINVAL;
> + goto free;
> + }
> } else if (!ath11k_mac_set_nontx_vif_params(tx_arvif, arvif, bcn)) {
> - return -EINVAL;
> + ret = -EINVAL;
> + goto free;
> }
>
> ret = ath11k_wmi_bcn_tmpl(ar, arvif->vdev_id, &offs, bcn, 0);
> - kfree_skb(bcn);
> -
> if (ret)
> ath11k_warn(ab, "failed to submit beacon template command: %d\n",
> ret);
>
> +free:
> + kfree_skb(bcn);
> return ret;
> }
>
Reviewed-by: Baochen Qiang <baochen.qiang@....qualcomm.com>
Powered by blists - more mailing lists