Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1650749pxy; Mon, 2 Aug 2021 07:05:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy4dd+Yezbp/0MLE096xyikIKLArzB/sV/dUGd+tCpZ/qPVzrZxU7b0buTalLDQtpisV6kW X-Received: by 2002:a05:6602:1d4:: with SMTP id w20mr1819833iot.121.1627913151805; Mon, 02 Aug 2021 07:05:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627913151; cv=none; d=google.com; s=arc-20160816; b=HKQzgbdIJp2UolvQEYPyRtjOhZzITB6wzUhLEgz1yKDpM0aqhiHIkhJ7IaZh3wa66p BnwqrhuYk/Q3ZCHqJQPIhwaa3CTGz0B94FM9zwRHnAjJmmOZZfeIcfW8rF6V8t3G5Zcw TPu5/VNMZJ4J4oW5mvzcNbuCoj3/+oyoxUzZmRw+8tdrwyVYHBY0glbSEoLD/auXEXdA KNxr5LcbU9H1Ybamuz87T99vZE4bGiEchJEI7AawzssIwoUsU1AxK4t512ESPl479vW2 pYRJV+047T5wrkHE3IJW/yjT++g19fPyCyywznk9SAcov/rATI2olMyK1+9dJwVFyJOA m0Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pkI76xG+pM2XMct2TjCcHawHYekdXTFkJztf0n2DMNM=; b=KWZbjAkry5cNugrSRwYcqz/fkTYGRQaET5LFMTLU7oeOm/p0tOYoeQkDOZ/Wxnkaor /h8WjuU0aqS0vkhWIKaaOz3BRRO3w8i6jkcyLIQqtpmL7JopO6k26vK+HDlSzSarz7kx lzwtPScvK0pRh5JD2n+UdMGaP0IypNIcHdQi3wFYkXcGWHn3ZL83MNPpD1zDAMxuZjxt v+6xqocwkDGL2MIjzdJwTD0QOucuqzvX/PfNO01wAwafEucA0xvOPYp04zfHy3zGAdNA OkVkexaAIZtBm5K82RRgTdwZWgYU2HWRRcu5T8y2mM/42xmRlrhgjns22vdN2zU6UcyF SsLQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="hp2/GSvm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j1si12400404jak.102.2021.08.02.07.05.40; Mon, 02 Aug 2021 07:05:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="hp2/GSvm"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235502AbhHBODV (ORCPT + 99 others); Mon, 2 Aug 2021 10:03:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:41744 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235145AbhHBNze (ORCPT ); Mon, 2 Aug 2021 09:55:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2BBCC611C7; Mon, 2 Aug 2021 13:54:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912441; bh=jwiD68Kt9Ea8IEOA1Eb8yzP4bQY8DfSsIb0n8LdyZYY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hp2/GSvmop3U66ngmZrHW54BEmjnaZ5YE+k1fMqVD5RMnSYSQuF/WRZBk5Z0XuJMX 2+AX6rI6I/zsr8nN6B1BWgGFRBPsWlC9arOr8VPUaSiSJlcOBYEGYgA4IeUVsRQsok HVvPhYchVtXSXyvqITXD25gOmUveE+JjeS4NV0NA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , Johannes Berg Subject: [PATCH 5.10 27/67] cfg80211: Fix possible memory leak in function cfg80211_bss_update Date: Mon, 2 Aug 2021 15:44:50 +0200 Message-Id: <20210802134339.942278538@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134339.023067817@linuxfoundation.org> References: <20210802134339.023067817@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list. Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_regi * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } } if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }