Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1640707pxy; Mon, 2 Aug 2021 06:53:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMD5wFXFYlEVZ0rV4joqdjxUTDDzrOkU6f2sCmvvaZRKeJXiHg7c3yD6qNJ1UZbRQ5urQp X-Received: by 2002:a05:6638:974:: with SMTP id o20mr1937746jaj.10.1627912408770; Mon, 02 Aug 2021 06:53:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627912408; cv=none; d=google.com; s=arc-20160816; b=P7sjUifjp7+OAFPm7dcIh1P23boPx8xQ/p0/ZvwJUwBwUQQMFJsb+LEFqSdbsED+t8 Blfj8ESf5v2X/DSW/IY6tmkOKA4Yw4Pg2rpKkE3HdzV9umL8Ys4EwgwBSI6D1c3eYtFx R+6XgVMLcfHBU+hf+HDQODqSzFLf4/LKjuDfLTa5ZepAy9bkEmUFG1oeCb/wEtZOtkiG jTVhKpCnQUpITRMxm5/fuUQ4bte+A/lzXiospnnotzsPKrT/YGbKpv3xo34GIHEFWOAc D4AkJTMqTKa+Ok5qgbji9rGwlvCJVjBN2CUMrue1tAaLno72l+/hrXytk6loJZx9F3Oh 2bWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5TRfKYplS1TlQjAWkJi5QYeicOTP5PQAIyaFlbVwz8o=; b=s9QInRb3lvpOg4onLTbhIodTFsCDMg05vVpAgmtpkZksoVLSrLDjgXiOW733zaB9R2 jMu3/LTrRzJ8+thjKLn59PU6ef39TRGG6/qxVNVSbOfVsDJWY4uaFUzlqNWb1XeD5vgx 5jkBHFtzHzS2+jk7YOwfYPXCbwhDTirs0YmqqUlIl5PfOkwIPloIlOFDDa0NbkqCYpiq r9eGACbkhdX/OePu8lIV1e4VgyzeH2vY2hAO//ZvbpBExo30kE+yg806I2D5cgof5cC9 kKINUnJIz+uCfBWaJ6wP5N3NsxbTUnCvHsh5wAqaaFqHRsVtHbJ8Lq2rLl1q74232Qce WO6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hBbJPFp2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i12si5140303ilu.109.2021.08.02.06.53.17; Mon, 02 Aug 2021 06:53:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hBbJPFp2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234837AbhHBNvk (ORCPT + 99 others); Mon, 2 Aug 2021 09:51:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:57150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234127AbhHBNrr (ORCPT ); Mon, 2 Aug 2021 09:47:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 572E960FF2; Mon, 2 Aug 2021 13:47:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912045; bh=aajXcoGXJYjIcFceZgEHPqa5csuIAtkLTzG115AiRMw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hBbJPFp2bLKBlFOJIhbg61iPbZC64pMWKZpoLiK8Bkeq27NIkfw7vsyDa+08UWTJQ vTJlDeY3bKA7EBDZ4vXZ11IpzOl1gJHrHLy/ofldKKtpxFsQGsPmlB65Dga+J4ms9Q SmUmgrUi8LirnsrjUEm1MTL9GQYZF1vATNbiEbd8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , Johannes Berg Subject: [PATCH 4.9 24/32] cfg80211: Fix possible memory leak in function cfg80211_bss_update Date: Mon, 2 Aug 2021 15:44:44 +0200 Message-Id: <20210802134333.685861590@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134332.931915241@linuxfoundation.org> References: <20210802134332.931915241@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list. Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -949,16 +949,14 @@ cfg80211_bss_update(struct cfg80211_regi * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } } if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }