wifi: p54: Fix memory leak in p54_beacon_update()

In p54_beacon_update(), beacon is allocated via ieee80211_beacon_get().
If p54_beacon_format_ie_tim() fails, the function returns immediately
without freeing the allocated beacon skb, which would lead to a memory
leak.

Since no other references to this memory exist, it must be freed locally
before returning the error. Fix this by freeing the buffer using
dev_kfree_skb_any() in the error path.

Note that this error path is unreachable in practice because mac80211
guarantees a minimum TIM length of 4 bytes for non-S1G devices. This
change primarily serves to silence static analysis warnings and keep
the error handling logic complete.

Compile tested only. Issue found using a prototype static analysis tool
and code review.

Signed-off-by: Zilin Guan <zilin@seu.edu.cn>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Link: https://patch.msgid.link/20260122085945.444955-1-zilin@seu.edu.cn
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c
index 2ec3655f1a9c0b0aa70ba4c81c272913afd76648..57a62108cbc35a108ae645c7a5bfe25b875513d7 100644 (file)
--- a/drivers/net/wireless/intersil/p54/main.c
+++ b/drivers/net/wireless/intersil/p54/main.c
@@ -143,8 +143,10 @@ static int p54_beacon_update(struct p54_common *priv,
        if (!beacon)
                return -ENOMEM;
        ret = p54_beacon_format_ie_tim(beacon);
-       if (ret)
+       if (ret) {
+               dev_kfree_skb_any(beacon);
                return ret;
+       }
 
        /*
         * During operation, the firmware takes care of beaconing.