Fix memory leak where firmware is not released on error paths in
rtl8723b_FirmwareDownload().
After successfully calling request_firmware(), if the firmware size
check fails or if kmemdup() fails, the code jumps to the exit label
without calling release_firmware(), causing a memory leak.
Add a release_fw label to properly free the firmware in these er:qror
cases. Also add an error message when firmware size exceeds the limit to
help with debugging.
Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
---
drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
index 57c83f332e74..0eae624a36f0 100644
--- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
+++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
@@ -345,14 +345,16 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
}
if (fw->size > FW_8723B_SIZE) {
+ pr_err("Firmware size exceed, max: %d, actual: %zu\n",
+ FW_8723B_SIZE, fw->size);
rtStatus = _FAIL;
- goto exit;
+ goto release_fw;
}
pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
if (!pFirmware->fw_buffer_sz) {
rtStatus = _FAIL;
- goto exit;
+ goto release_fw;
}
pFirmware->fw_length = fw->size;
@@ -415,6 +417,10 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
goto fwdl_stat;
fwdl_stat:
+ goto exit;
+
+release_fw:
+ release_firmware(fw);
exit:
kfree(pFirmware->fw_buffer_sz);
--
2.50.1On Wed, Dec 17, 2025 at 05:14:11PM -0800, Samasth Norway Ananda wrote:
> Fix memory leak where firmware is not released on error paths in
> rtl8723b_FirmwareDownload().
>
> After successfully calling request_firmware(), if the firmware size
> check fails or if kmemdup() fails, the code jumps to the exit label
> without calling release_firmware(), causing a memory leak.
>
> Add a release_fw label to properly free the firmware in these er:qror
> cases. Also add an error message when firmware size exceeds the limit to
> help with debugging.
>
> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
> ---
> drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> index 57c83f332e74..0eae624a36f0 100644
> --- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> +++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
> @@ -345,14 +345,16 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
> }
>
> if (fw->size > FW_8723B_SIZE) {
> + pr_err("Firmware size exceed, max: %d, actual: %zu\n",
> + FW_8723B_SIZE, fw->size);
> rtStatus = _FAIL;
> - goto exit;
> + goto release_fw;
> }
>
> pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
> if (!pFirmware->fw_buffer_sz) {
> rtStatus = _FAIL;
> - goto exit;
> + goto release_fw;
> }
>
> pFirmware->fw_length = fw->size;
> @@ -415,6 +417,10 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
> goto fwdl_stat;
>
> fwdl_stat:
> + goto exit;
What's the point of this nonsense label the just does another goto?
regards,
dan carpenter
> +
> +release_fw:
> + release_firmware(fw);
>
> exit:
> kfree(pFirmware->fw_buffer_sz);
> --
> 2.50.1
>
On 12/17/25 11:14 PM, Dan Carpenter wrote:
> On Wed, Dec 17, 2025 at 05:14:11PM -0800, Samasth Norway Ananda wrote:
>> Fix memory leak where firmware is not released on error paths in
>> rtl8723b_FirmwareDownload().
>>
>> After successfully calling request_firmware(), if the firmware size
>> check fails or if kmemdup() fails, the code jumps to the exit label
>> without calling release_firmware(), causing a memory leak.
>>
>> Add a release_fw label to properly free the firmware in these er:qror
>> cases. Also add an error message when firmware size exceeds the limit to
>> help with debugging.
>>
>> Signed-off-by: Samasth Norway Ananda <samasth.norway.ananda@oracle.com>
>> ---
>> drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
>> index 57c83f332e74..0eae624a36f0 100644
>> --- a/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
>> +++ b/drivers/staging/rtl8723bs/hal/rtl8723b_hal_init.c
>> @@ -345,14 +345,16 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
>> }
>>
>> if (fw->size > FW_8723B_SIZE) {
>> + pr_err("Firmware size exceed, max: %d, actual: %zu\n",
>> + FW_8723B_SIZE, fw->size);
>> rtStatus = _FAIL;
>> - goto exit;
>> + goto release_fw;
>> }
>>
>> pFirmware->fw_buffer_sz = kmemdup(fw->data, fw->size, GFP_KERNEL);
>> if (!pFirmware->fw_buffer_sz) {
>> rtStatus = _FAIL;
>> - goto exit;
>> + goto release_fw;
>> }
>>
>> pFirmware->fw_length = fw->size;
>> @@ -415,6 +417,10 @@ s32 rtl8723b_FirmwareDownload(struct adapter *padapter, bool bUsedWoWLANFw)
>> goto fwdl_stat;
>>
>> fwdl_stat:
>> + goto exit;
>
> What's the point of this nonsense label the just does another goto?
Thanks for the review Dan.
The intermediate label that just does "goto exit" is unnecessary. I will
rework patch 1 to call release_firmware() directly in each error path
instead of using an extra label.
regards,
Samasth.
>
> regards,
> dan carpenter
>
>> +
>> +release_fw:
>> + release_firmware(fw);
>>
>> exit:
>> kfree(pFirmware->fw_buffer_sz);
>> --
>> 2.50.1
>>
© 2016 - 2026 Red Hat, Inc.