1. Patchew
  2. linux
  3. View series

[PATCH] wireless: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()

Zilin Guan posted 1 patch 2 weeks, 6 days ago 
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] wireless: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
Posted by Zilin Guan 2 weeks, 6 days ago 
In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
the function currently returns -1 immediately without freeing the
previously allocated skb_aggr, causing a memory leak.

Since skb_aggr has not yet been queued via skb_queue_tail(), no other
references to this memory exist. Therefore, it has to be freed locally
before returning the error.

Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
returning the error status.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
---
 drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index 34b4b34276d6..042b1fe5f0d6 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -203,6 +203,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
 
 		if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
 			spin_unlock_bh(&priv->wmm.ra_list_spinlock);
+			mwifiex_write_data_complete(adapter, skb_aggr, 1, -1);
 			return -1;
 		}
 
-- 
2.34.1
Re: [PATCH] wireless: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
Posted by Jeff Chen 2 weeks, 2 days ago 
On Mon, Jan 19, 2026 at 09:26:25 AM +0000, Zilin Guan wrote:
> In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
> mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
> the function currently returns -1 immediately without freeing the
> previously allocated skb_aggr, causing a memory leak.
> 
> Since skb_aggr has not yet been queued via skb_queue_tail(), no other
> references to this memory exist. Therefore, it has to be freed locally
> before returning the error.
> 
> Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
> returning the error status.
> 
> Compile tested only. Issue found using a prototype static analysis tool
> and code review.
> 
> Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver")
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> ---
>  drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
> index 34b4b34276d6..042b1fe5f0d6 100644
> --- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
> +++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
> @@ -203,6 +203,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
>  
>  		if (!mwifiex_is_ralist_valid(priv, pra_list, ptrindex)) {
>  			spin_unlock_bh(&priv->wmm.ra_list_spinlock);
> +			mwifiex_write_data_complete(adapter, skb_aggr, 1, -1);
>  			return -1;
>  		}
>  
> -- 
> 2.34.1
> 
> 

Hi Zilin,

Patch looks good to me.

Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.