2021-04-13 14:34:44

by Dan Carpenter

Subject: [bug report] cfg80211: limit scan results cache size

Hello Johannes Berg,

The patch 9853a55ef1bb: "cfg80211: limit scan results cache size"
from Nov 15, 2016, leads to the following static checker warning:

net/wireless/scan.c:1754 cfg80211_bss_update()
warn: '&new->hidden_list' not removed from list

net/wireless/scan.c
1721 memcpy(new, tmp, sizeof(*new));
1722 new->refcount = 1;
1723 INIT_LIST_HEAD(&new->hidden_list);
1724 INIT_LIST_HEAD(&new->pub.nontrans_list);
1725
1726 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
1727 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
1728 if (!hidden)
1729 hidden = rb_find_bss(rdev, tmp,
1730 BSS_CMP_HIDE_NUL);
1731 if (hidden) {
1732 new->pub.hidden_beacon_bss = &hidden->pub;
1733 list_add(&new->hidden_list,
^^^^^^^^^^^^^^^^^
1734 &hidden->hidden_list);
^^^^^^^^^^^^^^^^^^^^
"new" gets added to the list

1735 hidden->refcount++;
^^^^^^^^^^^^^^^^^^^
1736 rcu_assign_pointer(new->pub.beacon_ies,
1737 hidden->pub.beacon_ies);
1738 }
1739 } else {
1740 /*
1741 * Ok so we found a beacon, and don't have an entry. If
1742 * it's a beacon with hidden SSID, we might be in for an
1743 * expensive search for any probe responses that should
1744 * be grouped with this beacon for updates ...
1745 */
1746 if (!cfg80211_combine_bsses(rdev, new)) {
1747 kfree(new);
1748 goto drop;
1749 }
1750 }
1751
1752 if (rdev->bss_entries >= bss_entries_limit &&
1753 !cfg80211_bss_expire_oldest(rdev)) {
1754 kfree(new);
^^^^^^^^^^
It seems like it's still on the list when we free "new" leading to a
use after free.

1755 goto drop;
1756 }

regards,
dan carpenter