Received: by 2002:a05:6a10:c7c6:0:0:0:0 with SMTP id h6csp1652820pxy; Mon, 2 Aug 2021 07:07:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXL7J9Dll1N48ceHS2h/sjOE/k+sGcY+mjnSSiuHFbu00VT22htHmy4fRdEiKKPmLqz/yD X-Received: by 2002:a05:6402:1392:: with SMTP id b18mr19422939edv.2.1627913275214; Mon, 02 Aug 2021 07:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627913275; cv=none; d=google.com; s=arc-20160816; b=mB889Jo4xZ+ku6y32OWLxxWRG+SpmPRD8gZsAN7br8eQeI2UhhhObBHlKQhVynIxsg /khmNWlqaCjYzqhlQSyvxXd5nO5RTfupwjF/SdmByrkFnqO1bgPzG924GNjcNXx9zx/z 9O+24vyi2FtL4KeOWaIZK2jmzvYVCmC0JGdRt3pP5d7uJ2CWI8lwfCqZYnI6QqsQpbb6 lYAwbD2Avm/RIxWuk5o7B/VGx8rfwL3VSEdc8IkI3ZiO+Spa/gP7pbAJQva7FSeFtTn/ O5hcoB6Gk2lLBvBTAuU87Y15GaXiI+oLB5In/tSkvcY+4RQNpYMkouRKvT1VDLg1quhM thnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=y58Jpl1sEyDHuQxi/NUi8EY4eVtPgZTTgDitubAgg2g=; b=Mw4e2P/bHGTnqpPMZrcm/9NDn5REC1FTRhYORSiVQ6GtVpQKU/hIVmJCDIlwz5bPpk KALJarfwkSXaQyoHtjz6aKnrfaH4lHva0YiNjJYM3HW9FmtT4iIxTYKsboFMA0GZUz0H px5vPRXT7uoywAq/w2KLk7XPXXDLsPQO70wc/medapqraJZhY0j7h23gG+LqrsPNgqkI f3wG0Wfw4mwN6M9d465aURPY2mr2DyaiIcsQGSZSQ5mVP6kgrjTN2GkTBmA1kiGDF6sR awriHXJ7dS/tbt++QXovn5RaQqcnrziDkLnWZ3dGgJ4tRJ3kNhwMTWga1nMi/AqQ7/6y ixsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FnyvNkUM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n14si9729519edv.569.2021.08.02.07.07.31; Mon, 02 Aug 2021 07:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FnyvNkUM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235826AbhHBOFr (ORCPT + 99 others); Mon, 2 Aug 2021 10:05:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:40742 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236279AbhHBN7S (ORCPT ); Mon, 2 Aug 2021 09:59:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 863D06113B; Mon, 2 Aug 2021 13:55:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627912531; bh=1HkeSCeLRg6gOHPEhMcea2MXL6I0yll1FZ3p332yxgE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FnyvNkUMDyYMeRDXFyHoVXqbbTPsY/Jg6TaA9i0xDL5X1VHeAI8QxZSI/k9IJ3Wzl u356ZXKHjAWueu7FWvunhK7pdAqho8D4eKdiOF1/CGhcG8M5/VcYb0c6iFJgXtAJPQ /RA9OSdZTsDTGRdwSdCXT9/fVAAjaN17fpzuq6pY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nguyen Dinh Phi , Johannes Berg Subject: [PATCH 5.13 034/104] cfg80211: Fix possible memory leak in function cfg80211_bss_update Date: Mon, 2 Aug 2021 15:44:31 +0200 Message-Id: <20210802134345.149149752@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210802134344.028226640@linuxfoundation.org> References: <20210802134344.028226640@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nguyen Dinh Phi commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list. Signed-off-by: Nguyen Dinh Phi Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1744,16 +1744,14 @@ cfg80211_bss_update(struct cfg80211_regi * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } } if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }