Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1643490pxy; Mon, 2 Aug 2021 06:58:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6uHXXD9ZY14/wO2m7TICzQgW3q44F6W/bDtEu9whCYq26dXciALAyvS4ghyYO+hGG+/KN X-Received: by 2002:a05:6602:2091:: with SMTP id a17mr1762957ioa.175.1627912682889; Mon, 02 Aug 2021 06:58:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627912682; cv=none; d=google.com; s=arc-20160816; b=ZVv7+pndxYsfQnOAgRsUUOhj8dclJd28YHxHYfZJj3KSQq3uS3lRK08QW+rpEffhFi kBZ1fYDTkjJFSipfHvHQ5EXcdIl+vJZebfxd49qvFfEyCmGCDhUPxHK1J5/ge0ytQJ6v mDpanzgnEujFlSoFuQL0us1+DpPfJWEj5dH9mzXvxKfHmTCR00RocPp69n73cc5IzaTY ZtHGYoFlQ3lkamV0E6XVC80wn9/5pSkLDuuNKco6AcgR3FOY9LeANiujTfXtmxfUq+bd 9EPzx2uU3vFrU8EZQ7oVOPELbUl3yFiUWOuJ72ZR5R26bSO5H/iMgCGZd3g8+Kfk3KuL v4FQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=HB5i/JNKODEVJvnanyRwTOTF/SvLbthlwOQ59ISj+nc=; b=JC0cbvCdqjjrYA/Uq0WGjCRT9iaM3UHopn95Cl/wWOWZjOMI/0GWhwEunkNX5gNC8M kwbnf3bq5T9wyW5niXhCwNUIU5+CBb9k2nTtvWyfkSdDC+d49x4hj7wF1GemHEHHaaee OcjFeBjK7CuQWBxzEVbFZphmLwBCkcRZoqO2l24crVER0XW5qPFzAPhGL9D4w8EAIX0w vPEFJ2+itlsGub2AYboyOCyVqvTTsLP3LGMV2nHTSbAxQFm9epYmo3NsnpfmjrEGXYLs mAvt94sB1PxoPUx17Z4yWFw3CHPKOJGmXXXoQIyf/l8uI9vV1M0H3ydkjMbDWjpI9MwY mIjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pLuOBjFO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o18si13548586jat.46.2021.08.02.06.57.51; Mon, 02 Aug 2021 06:58:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pLuOBjFO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236240AbhHBN5V (ORCPT + 99 others); Mon, 2 Aug 2021 09:57:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:34294 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234990AbhHBNvc (ORCPT ); Mon, 2 Aug 2021 09:51:32 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 42A3260F41; Mon, 2 Aug 2021 13:50:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912258; bh=hdiXrvsG9NBKG+5eMK1AkbMzZVab2LrkHtcz0zqCmyk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pLuOBjFOusYYTtgS1pasyvsSPijOkbef+2gM5SAtMo3AOUDjhtUVEat+WdcmLcC5l FS53K8PKk/2VuKKZd6Qes2nBLsL8sF5u2CA4Kw6tX1EpKo+BzZO57i5FkPS3iRsR+m UJIFZn38T6jeIoynLS373HTjN/bxvtibIUx5LLoU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , Johannes Berg Subject: [PATCH 5.4 19/40] cfg80211: Fix possible memory leak in function cfg80211_bss_update Date: Mon, 2 Aug 2021 15:44:59 +0200 Message-Id: <20210802134336.003473216@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134335.408294521@linuxfoundation.org> References: <20210802134335.408294521@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list. Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1250,16 +1250,14 @@ cfg80211_bss_update(struct cfg80211_regi * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } } if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }