wifi: mt76: do not free skb on ieee80211_tx_prepare_skb failure

nbd168 · nbd168 · commit d2b1e1aa8ec4 · 2026-03-10T14:46:09.000Z
ieee80211_tx_prepare_skb already frees the skb internally when
invoke_tx_handlers fails, so freeing it again in the caller leads to a
double-free / NULL pointer dereference in skb_release_data.

Signed-off-by: Felix Fietkau &lt;nbd@nbd.name&gt;
diff --git a/mac80211.c b/mac80211.c
@@ -2168,10 +2168,8 @@ mt76_offchannel_send_nullfunc(struct mt76_offchannel_cb_data *data,
 
 	if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb,
 				      phy->main_chandef.chan->band,
-				      &sta)) {
-		ieee80211_free_txskb(phy->hw, skb);
+				      &sta))
 		return;
-	}
 
 	if (sta)
 		wcid = (struct mt76_wcid *)sta->drv_priv;
diff --git a/scan.c b/scan.c
@@ -69,10 +69,8 @@ mt76_scan_send_probe(struct mt76_dev *dev, struct cfg80211_ssid *ssid)
 
 	rcu_read_lock();
 
-	if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL)) {
-		ieee80211_free_txskb(phy->hw, skb);
+	if (!ieee80211_tx_prepare_skb(phy->hw, vif, skb, band, NULL))
 		goto out;
-	}
 
 	info = IEEE80211_SKB_CB(skb);
 	if (req->no_cck)
