wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure

ieee80211_tx_prepare_skb() has three error paths, but only two of them
free the skb. The first error path (ieee80211_tx_prepare() returning
TX_DROP) does not free it, while invoke_tx_handlers() failure and the
fragmentation check both do.

Add kfree_skb() to the first error path so all three are consistent,
and remove the now-redundant frees in callers (ath9k, mt76,
mac80211_hwsim) to avoid double-free.

Document the skb ownership guarantee in the function's kdoc.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://patch.msgid.link/20260314065455.2462900-1-nbd@nbd.name
Fixes: 06be6b149f7e ("mac80211: add ieee80211_tx_prepare_skb() helper function")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/ath/ath9k/channel.c b/drivers/net/wireless/ath/ath9k/channel.c
index 121e51ce1bc0ea09dd005188151f2a2cbb06ce88..8b27d8cc086ab755f6e90331f2e99d1e2e6620c6 100644 (file)
--- a/drivers/net/wireless/ath/ath9k/channel.c
+++ b/drivers/net/wireless/ath/ath9k/channel.c
@@ -1006,7 +1006,7 @@ static void ath_scan_send_probe(struct ath_softc *sc,
        skb_set_queue_mapping(skb, IEEE80211_AC_VO);
 
        if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, NULL))
-               goto error;
+               return;
 
        txctl.txq = sc->tx.txq_map[IEEE80211_AC_VO];
        if (ath_tx_start(sc->hw, skb, &txctl))
@@ -1119,10 +1119,8 @@ ath_chanctx_send_vif_ps_frame(struct ath_softc *sc, struct ath_vif *avp,
 
                skb->priority = 7;
                skb_set_queue_mapping(skb, IEEE80211_AC_VO);
-               if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta)) {
-                       dev_kfree_skb_any(skb);
+               if (!ieee80211_tx_prepare_skb(sc->hw, vif, skb, band, &sta))
                        return false;
-               }
                break;
        default:
                return false;

diff --git a/drivers/net/wireless/mediatek/mt76/scan.c b/drivers/net/wireless/mediatek/mt76/scan.c
index ff9176cdee3dee2b97f281a942cb91a631c24bcf..63b0447e55c15b08d57fe5299d371cce24286802 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/scan.c
+++ b/drivers/net/wireless/mediatek/mt76/scan.c
@@ -63,10 +63,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
 
        rcu_read_lock();
 
-       if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) {
-               ieee80211_free_txskb(phy->hw, skb);
+       if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL))
                goto out;
-       }
 
        info = IEEE80211_SKB_CB(skb);
        if (req->no_cck)

diff --git a/drivers/net/wireless/virtual/mac80211_hwsim.c b/drivers/net/wireless/virtual/mac80211_hwsim.c
index f6b890dea7e07d34b2de1bcfad75f1a92335c61f..1b6e55eb81a28b381b36321302a2e8518de5c940 100644 (file)
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
@@ -3021,7 +3021,6 @@ static void hw_scan_work(struct work_struct *work)
                                                      hwsim->tmp_chan->band,
                                                      NULL)) {
                                rcu_read_unlock();
-                               kfree_skb(probe);
                                continue;
                        }
 

diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 7f9d96939a4ea715eea288a83aeb9a0aa863c8df..adce2144a6788afbbf1290f5c421b803a60b8aa5 100644 (file)
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -7407,7 +7407,9 @@ void ieee80211_report_wowlan_wakeup(struct ieee80211_vif *vif,
  * @band: the band to transmit on
  * @sta: optional pointer to get the station to send the frame to
  *
- * Return: %true if the skb was prepared, %false otherwise
+ * Return: %true if the skb was prepared, %false otherwise.
+ * On failure, the skb is freed by this function; callers must not
+ * free it again.
  *
  * Note: must be called under RCU lock
  */

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 8cdbd417d7befb245e217b75185044163bde9638..b7aedaab848386eeae3d9e3e6e33b5b0809e96b9 100644 (file)
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1899,8 +1899,10 @@ bool ieee80211_tx_prepare_skb(struct ieee80211_hw *hw,
        struct ieee80211_tx_data tx;
        struct sk_buff *skb2;
 
-       if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP)
+       if (ieee80211_tx_prepare(sdata, &tx, NULL, skb) == TX_DROP) {
+               kfree_skb(skb);
                return false;
+       }
 
        info->band = band;
        info->control.vif = vif;