Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1642857pxy; Mon, 2 Aug 2021 06:57:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAQwxQGREy12hAiYXJ+BE/yeoO1nWxEQ6ZrBRssHPpXg99xshV+hpBUrWz5zG2y0Zf4nam X-Received: by 2002:a05:6602:1587:: with SMTP id e7mr859495iow.112.1627912619886; Mon, 02 Aug 2021 06:56:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627912619; cv=none; d=google.com; s=arc-20160816; b=EiQLi1aMqLfnZ/26AIfalIVq5b0fHia/EXZswC6cjhiemjO7OZ9ME7pyXPg4vHaYt+ dLbx4Kz9t+YFwjF6aq2t6skShqJycLQDOazKSdnO6i1SEzCHPURAZZ13JT8wDg3iAob2 n83rvbcagU18Rv0Xw0Kk1Xg1P7DeZTSApS6npwwrUIH+yBl24BnwUygUfIqcFzwaK30b q9B0SNL/oKjEC2YmjDJPvCktVKUFmeRGDgF7RYJ3T9SKZAA7dunXCD8i5a5PukeEGxku 48Nryn8MzkPqJdw5wQtGx/1CKYcu9/TCVhIDKBssJc/oE8wdNSRLp5VrS10gAVuvv6BB dhYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G/ZnA25q+hwddPqIikJmgS2B6XEdIiXzLVMayyrBeWs=; b=uRAGIU0KKxyDWy5TzJXLT3+W6l6tbx4NVUQ3JU5fytbGa0bL6ZHmXCXEaifzyKm8a4 ZJc4cD4Tqc25DiC3ur7JpwGSbosTgYZdIgS6IJ3VufrE2Z9k55n3YxLKaDTbNvNd+sdP RsB+/JYt9zjxSuloxXEPk6nJ17zj2fXVddTypRrviHUYE2cYypU5t2C4+Pjdv8Fq5Wd9 9/2NFgB4Pruigyzo3Qgy55V0RnOUntzjyhoxH/Wz6FNg6T93TDGBmA7jtCh698GIDeMq 9gW3Pe2zutKkf4n8O+4Wu+HpEtHAQx4cnckSFStwfINHoxywXR1aKFaoUxv7rK1y/gRL PYvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="RRD/LBKp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g2si14246339jat.88.2021.08.02.06.56.48; Mon, 02 Aug 2021 06:56:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="RRD/LBKp"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235593AbhHBN4F (ORCPT + 99 others); Mon, 2 Aug 2021 09:56:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:60706 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234973AbhHBNuk (ORCPT ); Mon, 2 Aug 2021 09:50:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B4F3A61107; Mon, 2 Aug 2021 13:50:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912228; bh=iYjJOVfpp9NrXzGGiPZUpQ0b93HZfFINxXrg0Q5qzWc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RRD/LBKpl78o38GiC57c4k08N7KC516uSaWJ0aIZYNzIz8JitbL6/exMIakyr68eC txm9/cIex2M+/3G4KeNZEvW8z1Btl9Tzf3eohjeCp6Yrh4cqtWfjjNKDiwXOL8blgy KndNJqi9eaJwpdnX+cA7bJLRV9GgdjieP4kzRO/Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , Johannes Berg Subject: [PATCH 4.19 15/30] cfg80211: Fix possible memory leak in function cfg80211_bss_update Date: Mon, 2 Aug 2021 15:44:53 +0200 Message-Id: <20210802134334.564820615@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134334.081433902@linuxfoundation.org> References: <20210802134334.081433902@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list. Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1029,16 +1029,14 @@ cfg80211_bss_update(struct cfg80211_regi * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } } if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }