From nobody Fri Jun 12 22:51:11 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7565F29BDBF for ; Tue, 12 May 2026 02:11:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778551881; cv=none; b=O79KRIQH94++3XojKfCpNGDdtSRjICs/lf6JbQMphdtmKKVx8yGwO1uo4pGG+9blD9jMaqhxSqm3j8dij07Vpuqe6ZtjJZu4vNrV+OuTCSAKpKMtZ+zSaNjvh3LGD3ljzMBxyIrNUB1RGoM5jDLu3kk7gMz1W/e4O0RcdYeJIZ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778551881; c=relaxed/simple; bh=1ix2v0x4NIueJuSz7S/KNI6Bg/+wH1m9lcEvSIuOC9Y=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=orvt0GTvdE0QbYiWta/FTgZqDFi7XFsFNLXtUj7BgjqbEwxHai2k34MXBIkGX/bpGHEnRP47JZaWPcjyVC3kF8d8/VWxYJ0nzMPO6Bv7kU2gAwQO/IthFe+Mfs98ZI2ub7P2D/S/Vhf5cqaMjkcflL529fIopNvcG/xohpoGT8M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=V7yG1Iln; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=Q9dBYtY7; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="V7yG1Iln"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="Q9dBYtY7" Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64BK6anv2518218 for ; Tue, 12 May 2026 02:11:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=CA7nGr21+KK5XIbbIwykumIJPEvosonoVez 2sxFOQ4Q=; b=V7yG1IlnyHUE1IAEIjbNBjk5XuWRO2SiWny1+ncLdSX7gOTn1c0 7GoQORyC9x+/m0lc+AKL6yL6QJX4w/MOruzmqKKj+1Q/zlfT21pwBHA3aLzLXIMs 9a5c8bFOP+MJY9IZjYXGmduYqtseZ5JtHafrLaIFi+xj8Flu/nl+CXCjPdZ2RLWV XP5kRRDRBCED6Z/1ojDRlsHqd7JmK36irGIQDISdl9mS5x+ltHvnpRDeIPmVil2C 8B0wCz7pvZnsNGyBvDym3urZdXr/3RPoLfpuU19ncHXUU3qpQH7u38ZPEm4AB4Dc pNp2IF9tQ+w4CLBfTZVS9KWkGLB+0c9CYyA== Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com [209.85.214.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e3nv1h1r4-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 12 May 2026 02:11:19 +0000 (GMT) Received: by mail-pl1-f199.google.com with SMTP id d9443c01a7336-2b458add85aso54212615ad.2 for ; Mon, 11 May 2026 19:11:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1778551878; x=1779156678; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=CA7nGr21+KK5XIbbIwykumIJPEvosonoVez2sxFOQ4Q=; b=Q9dBYtY7hYX+B70pIU5FQRG9ztPOctn7g+YgNQOxgCQCuxgMUvQV7zvTpO1juQ/6g8 qVUkjIQPb76BisfOqOl0jKNAPWCIQn2kUdZ/CRYlbtM/DlFhObDZmes97oCt5GD41rpE dYeoqXXVOLJ6z/r2/VO6rjyxl4OAOdT1QtDKjWKDJVThkcjDsYnwQxynIyovcCw9LPX7 t35NNkUg7XOfGkA7K2oHo7YlTYfp87ionP5UyJs2fhG2TMVgtIsdoDPsETMI+Tqt/d/v aunrjirC+OORa2y2sxykdiBHRIW9ly4dbdPf1jh1Pdu3RSyKiyKYwLa0gvG5jn+SFgoW GAZw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778551878; x=1779156678; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CA7nGr21+KK5XIbbIwykumIJPEvosonoVez2sxFOQ4Q=; b=iCG8BRTlqA5iHLAG9qobqZK2uVmQwKnGHxFGotlO67U17mOENHj5Rj1y/NczhEWMF2 POJymES2C3h/rPGcn8JbS8MHG1KfpfkoDGczerd9vXGs6J/qTQCIhzPtmHndCIxAxZOM hAxyexY5ywFJfDJ7KS8ciCcSHWyTiCyeCECKZN1s5fWBR5iVyBoGRzJVjSPfC4bAOedA RAnE2kCmgNX43YjJIRPqAEuN8Ew/lKTelLR+TWAIy3FCe+2SnxxWKEYApcVT0B2CVCpb jszsW6zgjdeQzprqhU4rWwkbKGSSd0QCI8hTl6fztizbIijW9QDgBMaEn8wKJetBpEKs NZTA== X-Forwarded-Encrypted: i=1; AFNElJ/ySUcoUQ17JwVm8FbI2oZVFop6bj08nPpbQYLCHwZH0Gcj29I4NxsweKnsoWx2oDwjzXqcuMnSBtSsA9s=@vger.kernel.org X-Gm-Message-State: AOJu0YytaIvk0qrSWfbkcfspMGkpA37q01twWKZZX47tlNodeq94Ms8q mqP7X4Z8CfwbIcTG/XXmdxbfyTf1K41FR7qjo7QcHUVD7Jwb7MgNLoGF2PMWOI8/Yom/2GOsucO +UJMhuqkedD22x5rJQoVYfg47Ir7kiyazsNBe3oUzHyXrMHbPiaz4wLwlSiBA/NIfXKc= X-Gm-Gg: Acq92OFyxprz5BDlEa/0joN6fafahfVKHYJPjAI88EwbdqPXKOvrnlElz/oOax2cYol grICJRkBdr5wBbCfS9/WpcTw75NxWU3AUWuVgUwXrvbZHJJSPK+J86jluCzznxVj1V7LMA30Vuw WdoMjFhq7/rOXvd54HgqbGjSYKLXYiQrUBG5t2x1HbOT1aJixuAj2IwkRBlnPWpNDQQs2snKquD 4E4LMHlIQC9VR8B53BcGJ61vccf4gYe+5MvZPpLWmMchjhgLJHoSTxV1PbvQ8QzwcroJIhT10m/ no7Yfz7FreOwV7riBP3jd0aZr2CC5sQ33EuW4jx4x8VrfhhhqHe62pIH3uxRu6onc4fkIRdDWaX tCeDhoEG+AAbgabsmwktJ+BB2XtOR8z235LiP6teYHaHIHuv/166QzO4/C96shQtH/7q+JzAu11 MiDS1D X-Received: by 2002:a17:902:f78d:b0:2ba:ba5c:2524 with SMTP id d9443c01a7336-2baba5c26d4mr203478725ad.11.1778551878297; Mon, 11 May 2026 19:11:18 -0700 (PDT) X-Received: by 2002:a17:902:f78d:b0:2ba:ba5c:2524 with SMTP id d9443c01a7336-2baba5c26d4mr203478355ad.11.1778551877748; Mon, 11 May 2026 19:11:17 -0700 (PDT) Received: from Z2-SFF-G9-MQ.ap.qualcomm.com (i-global052.qualcomm.com. [199.106.103.52]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2baf1d26973sm121564825ad.12.2026.05.11.19.11.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 19:11:17 -0700 (PDT) From: Miaoqing Pan To: jjohnson@kernel.org Cc: ath12k@lists.infradead.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Miaoqing Pan Subject: [PATCH ath-current] wifi: ath12k: fix memory leak in ath12k_wifi7_dp_rx_h_verify_tkip_mic() Date: Tue, 12 May 2026 10:11:08 +0800 Message-Id: <20260512021108.2031651-1-miaoqing.pan@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-GUID: d1GPhVPDdIG7QM6EVnZsrlbtAbJ40OZ8 X-Proofpoint-ORIG-GUID: d1GPhVPDdIG7QM6EVnZsrlbtAbJ40OZ8 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTEyMDAxOSBTYWx0ZWRfX/770iOLmKucU iwBwXL+vwOBJhkw046JWaOvl+7ffZWezipfhrbqVXS9vsImVXqPLm4+qOrcaDPeWov9SwgNGsXX EobSlWea648AVi3pC2Gcb7rrFuABlrzhWpaX6/a+PzsNan/aVTanqlPaVr9bvWbfr4EykxEPK8d 1jlCBEg799V6aEurFHN43kp3VxLllVb9navpkD1CnWWNQ6o3gEKSb0z/KxJQzHr0EBHVrlNNa6S VJc+lne87hsL06MsZyUYx3XG7SX3SxO1A1R2FHPqOyaVePyYcEx03LvqfU4L5BD2Ee6A5XcLsrX Q8xzuZ1FiBO9ulf3epswy0L71Cxqi9dKBD51GkHCBRmbdrvcCmCzKDGoHU14h+aNqU4dy1UIP6J MKiiJLsTTEVbyCuTu+GJsqDlrhRI51Z+L+A+g4cRp80uvUQ/5TZP15UGohmR6nN5hgO+ueaiRId swK+OpHOtk6JYgq/wpw== X-Authority-Analysis: v=2.4 cv=c6ebhx9l c=1 sm=1 tr=0 ts=6a028c47 cx=c_pps a=JL+w9abYAAE89/QcEU+0QA==:117 a=b9+bayejhc3NMeqCNyeLQQ==:17 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=ZpdpYltYx_vBUK5n70dp:22 a=EUspDBNiAAAA:8 a=c7r0Upnc4xhSCq5Kx9sA:9 a=324X-CrmTo6CU4MGRt3R:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-11_05,2026-05-08_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 adultscore=0 lowpriorityscore=0 priorityscore=1501 impostorscore=0 bulkscore=0 malwarescore=0 spamscore=0 suspectscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605050000 definitions=main-2605120019 Content-Type: text/plain; charset="utf-8" In ath12k_wifi7_dp_rx_h_verify_tkip_mic(), the call to ath12k_dp_rx_check_nwifi_hdr_len_valid() may return false when the NWIFI header length is invalid, causing the function to abort early with -EINVAL. When this happens, the error propagates to ath12k_wifi7_dp_rx_h_defrag(), which clears first_frag by setting it to NULL. As a result, the corresponding MSDU is no longer referenced by the defragmentation path and is never freed. This leads to a memory leak for the affected MSDU on this error path. Proper cleanup is required to ensure the MSDU is released when header validation fails during TKIP MIC verification. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SIL= ICONZ-1.115823.3 Fixes: 9a0dddfb30f1 ("wifi: ath12k: Fix invalid data access in ath12k_dp_rx= _h_undecap_nwifi") Signed-off-by: Miaoqing Pan Reviewed-by: Baochen Qiang Reviewed-by: Tamizh Chelvam Raja --- drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c b/drivers/net/wi= reless/ath/ath12k/wifi7/dp_rx.c index 945680b3ebdf..a5e290edaa89 100644 --- a/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c @@ -1028,8 +1028,10 @@ static int ath12k_wifi7_dp_rx_h_verify_tkip_mic(stru= ct ath12k_pdev_dp *dp_pdev, skb_pull(msdu, hal_rx_desc_sz); =20 if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(dp, msdu, - rx_info))) + rx_info))) { + dev_kfree_skb_any(msdu); return -EINVAL; + } =20 ath12k_dp_rx_h_ppdu(dp_pdev, rx_info); ath12k_dp_rx_h_undecap(dp_pdev, msdu, HAL_ENCRYPT_TYPE_TKIP_MIC, true, --=20 2.34.1