sieni
/
linux
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure 

ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name
Fixes: 06be6b149f ("mac80211: add ieee80211_tx_prepare_skb() helper function")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Felix Fietkau 2026-03-14 06:54:55 +00:00 committed by Johannes Berg
parent deb353d9bb
commit d5ad6ab61c
5 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/net/wireless/ath/ath9k/channel.c
View File

@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
skb_set_queue_mapping(skb, IEEE80211_AC_VO); skb_set_queue_mapping(skb, IEEE80211_AC_VO);
if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL)) if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL))
goto error; return;
txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO]; txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO];
if (ath_tx_start(sc->hw, skb, &txctl)) if (ath_tx_start(sc->hw, skb, &txctl))
@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp,
skb->priority = 7; skb->priority = 7;
skb_set_queue_mapping(skb, IEEE80211_AC_VO); skb_set_queue_mapping(skb, IEEE80211_AC_VO);
if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) { if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta))
dev_kfree_skb_any(skb);
return false; return false;
}
break; break;
default: default:
return false; return false;

4
drivers/net/wireless/mediatek/mt76/scan.c
View File

@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
rcu_read_lock(); rcu_read_lock();
if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) { if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL))
ieee80211_free_txskb(phy->hw, skb);
goto out; goto out;
}
info = IEEE80211_SKB_CB(skb); info = IEEE80211_SKB_CB(skb);
if (req->no_cck) if (req->no_cck)

1
drivers/net/wireless/virtual/mac80211_hwsim.c
View File

@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work)
hwsim->tmp_chan->band, hwsim->tmp_chan->band,
NULL)) { NULL)) {
rcu_read_unlock(); rcu_read_unlock();
kfree_skb(probe);
continue; continue;
} }

4
include/net/mac80211.h
View File

@ -7407,7 +7407,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif,
* @band: the band to transmit on * @band: the band to transmit on
* @sta: optional pointer to get the station to send the frame to * @sta: optional pointer to get the station to send the frame to
* *
* Return: %true if the skb was prepared, %false otherwise * Return: %true if the skb was prepared, %false otherwise.
* On failure, the skb is freed by this function; callers must not
* free it again.
* *
* Note: must be called under RCU lock * Note: must be called under RCU lock
*/ */

4
net/mac80211/tx.c
View File

@ -1899,8 +1899,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
struct ieee80211_tx_data tx; struct ieee80211_tx_data tx;
struct sk_buff *skb2; struct sk_buff *skb2;
if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) {
kfree_skb(skb);
return false; return false;
}
info->band = band; info->band = band;
info->control.vif = vif; info->control.vif = vif;