1. Patchew
  2. linux
  3. View series

[PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()

Dawei Feng posted 1 patch 2 weeks, 5 days ago 
net/mac80211/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()
Posted by Dawei Feng 2 weeks, 5 days ago 
If kmemdup() fails while copying supported band structures, the error
path jumps to fail_rate. This skips rate_control_deinitialize() and
leaks the initialized local->rate_ctrl.

Fix this by redirecting the error path to fail_wiphy_register to
ensure proper cleanup.

The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc7.

An x86_64 allyesconfig build showed no new warnings. As we do not have a
suitable mac80211 device/driver combination to test with, no runtime
testing was able to be performed.

Fixes: 09b4a4faf9d0 ("mac80211: introduce capability flags for VHT EXT NSS support")
Cc: stable@vger.kernel.org
Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
---
 net/mac80211/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index f47dd58770ad..9306e0af3b5f 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1599,7 +1599,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
 		sband = kmemdup(sband, sizeof(*sband), GFP_KERNEL);
 		if (!sband) {
 			result = -ENOMEM;
-			goto fail_rate;
+			goto fail_wiphy_register;
 		}
 
 		wiphy_dbg(hw->wiphy, "copying sband (band %d) due to VHT EXT NSS BW flag\n",
-- 
2.34.1
Re: [PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()
Posted by Jeff Johnson 2 weeks, 4 days ago 
On 6/8/2026 7:55 AM, Dawei Feng wrote:
> If kmemdup() fails while copying supported band structures, the error
> path jumps to fail_rate. This skips rate_control_deinitialize() and
> leaks the initialized local->rate_ctrl.
> 
> Fix this by redirecting the error path to fail_wiphy_register to
> ensure proper cleanup.
> 
> The bug was first flagged by an experimental analysis tool we are
> developing for kernel memory-management bugs while analyzing
> v6.13-rc1. The tool is still under development and is not yet publicly
> available. Manual inspection confirms that the bug is still present in
> v7.1-rc7.
> 
> An x86_64 allyesconfig build showed no new warnings. As we do not have a
> suitable mac80211 device/driver combination to test with, no runtime
> testing was able to be performed.
> 
> Fixes: 09b4a4faf9d0 ("mac80211: introduce capability flags for VHT EXT NSS support")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zilin Guan <zilin@seu.edu.cn>

why is this SOB here?

> Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>

this is the posted author of the patch, and this patch hasn't been posted
previously, so it is unclear why there is an additional S-o-b

> ---
>  net/mac80211/main.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/mac80211/main.c b/net/mac80211/main.c
> index f47dd58770ad..9306e0af3b5f 100644
> --- a/net/mac80211/main.c
> +++ b/net/mac80211/main.c
> @@ -1599,7 +1599,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
>  		sband = kmemdup(sband, sizeof(*sband), GFP_KERNEL);
>  		if (!sband) {
>  			result = -ENOMEM;
> -			goto fail_rate;
> +			goto fail_wiphy_register;

I'm wondering if it would be more logical to have another label at the same
place, i.e. fail_band, since it is illogical to goto fail_wiphy_register when
you aren't performing the wiphy_register function

>  		}
>  
>  		wiphy_dbg(hw->wiphy, "copying sband (band %d) due to VHT EXT NSS BW flag\n",
Re: [PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()
Posted by Dawei Feng 2 weeks, 4 days ago 
Hi Jeff,

Thanks for your time and the review.

On Mon, Jun 8, 2026 at 10:24 AM, Jeff Johnson wrote:
> > Fixes: 09b4a4faf9d0 ("mac80211: introduce capability flags for VHT EXT NSS support")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
> 
> why is this SOB here?
> 
> > Signed-off-by: Dawei Feng <dawei.feng@seu.edu.cn>
> 
> this is the posted author of the patch, and this patch hasn't been posted
> previously, so it is unclear why there is an additional S-o-b

Zilin is the discoverer of this bug. We are in the same research group,
and he actively participated in reviewing this patch. 

To better align with the kernel submission guidelines, I will add a
"Co-developed-by:" tag in the v2 patch for Zilin to properly reflect his
contributions. Would this be acceptable?

> I'm wondering if it would be more logical to have another label at the same
> place, i.e. fail_band, since it is illogical to goto fail_wiphy_register when
> you aren't performing the wiphy_register function

Thanks for the suggestion. I will add a new label fail_band and send out
the v2 patch soon.

Thanks,
Dawei

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.