[PATCH] wifi: mt76: mt7996: Fix possible token leak in mt7996_tx_prepare_skb()
Dylan Eskew
dylan.eskew at candelatech.com
Tue Jun 2 11:58:32 PDT 2026
Hi Lore,
We have been seeing the token memory leak in our custom kernel. After
pulling your patch in, we are still getting the leak (validated with
kmemleak). How did you figure out where this potential leak was? I want
to determine if we are leaking because of our changes or if there's more
areas for token leakage.
-- Dylan
On 5/31/26 2:10 AM, Lorenzo Bianconi wrote:
> If link_conf or link_sta lookup fails in mt7996_tx_prepare_skb routine,
> mt7996 driver leaks an already allocated tx token. Fix the issue
> releasing the token in case of error.
>
> Fixes: 7ef0c7ad735b0 ("wifi: mt76: mt7996: Implement MLD address translation for EAPOL")
> Signed-off-by: Lorenzo Bianconi <lorenzo at kernel.org>
> ---
> drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 8 ++++++--
> drivers/net/wireless/mediatek/mt76/tx.c | 2 +-
> 2 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> index c98446057282..8c56344d211b 100644
> --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> @@ -1067,11 +1067,11 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
>
> link_conf = rcu_dereference(vif->link_conf[wcid->link_id]);
> if (!link_conf)
> - return -EINVAL;
> + goto error_relase_token;
>
> link_sta = rcu_dereference(sta->link[wcid->link_id]);
> if (!link_sta)
> - return -EINVAL;
> + goto error_relase_token;
>
> dma_sync_single_for_cpu(mdev->dma_dev, tx_info->buf[1].addr,
> tx_info->buf[1].len, DMA_TO_DEVICE);
> @@ -1176,6 +1176,10 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr,
> tx_info->nbuf = MT_CT_DMA_BUF_NUM;
>
> return 0;
> +
> +error_relase_token:
> + mt76_token_release(mdev, id, NULL);
> + return -EINVAL;
> }
>
> u32 mt7996_wed_init_buf(void *ptr, dma_addr_t phys, int token_id)
> diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
> index 22f9690634c9..f96d9c471853 100644
> --- a/drivers/net/wireless/mediatek/mt76/tx.c
> +++ b/drivers/net/wireless/mediatek/mt76/tx.c
> @@ -933,7 +933,7 @@ mt76_token_release(struct mt76_dev *dev, int token, bool *wake)
> #endif
> }
>
> - if (dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> + if (wake && dev->token_count < dev->token_size - MT76_TOKEN_FREE_THR &&
> dev->phy.q_tx[0]->blocked)
> *wake = true;
>
>
> ---
> base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
> change-id: 20260531-mt7996_tx_prepare_skb-token-leack-82e240d8c66f
>
> Best regards,
More information about the linux-arm-kernel
mailing list