[PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()

Next message: Mark Brown: "linux-next: build failure after merge of the drivers-x86 tree"
Previous message: Bjorn Andersson: "Re: [PATCH] clk: qcom: regmap-phy-mux: Rework the implementation"
Next in thread: Jeff Johnson: "Re: [PATCH net] wifi: mac80211: fix memory leak in ieee80211_register_hw()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dawei Feng

Date: Mon Jun 08 2026 - 11:53:05 EST

If kmemdup() fails while copying supported band structures, the error
path jumps to fail_rate. This skips rate_control_deinitialize() and
leaks the initialized local->rate_ctrl.

Fix this by redirecting the error path to fail_wiphy_register to
ensure proper cleanup.

The bug was first flagged by an experimental analysis tool we are
developing for kernel memory-management bugs while analyzing
v6.13-rc1. The tool is still under development and is not yet publicly
available. Manual inspection confirms that the bug is still present in
v7.1-rc7.

An x86_64 allyesconfig build showed no new warnings. As we do not have a
suitable mac80211 device/driver combination to test with, no runtime
testing was able to be performed.

Fixes: 09b4a4faf9d0 ("mac80211: introduce capability flags for VHT EXT NSS support")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Zilin Guan <zilin@xxxxxxxxxx>
Signed-off-by: Dawei Feng <dawei.feng@xxxxxxxxxx>
---
net/mac80211/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index f47dd58770ad..9306e0af3b5f 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -1599,7 +1599,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
sband = kmemdup(sband, sizeof(*sband), GFP_KERNEL);
if (!sband) {
result = -ENOMEM;
- goto fail_rate;
+ goto fail_wiphy_register;
}

wiphy_dbg(hw->wiphy, "copying sband (band %d) due to VHT EXT NSS BW flag\n",
--
2.34.1