From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Nguyen Dinh Phi <phind.uet@gmail.com>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 4.4 20/26] cfg80211: Fix possible memory leak in function cfg80211_bss_update
Date: Mon, 2 Aug 2021 15:44:30 +0200 [thread overview]
Message-ID: <20210802134332.688930536@linuxfoundation.org> (raw)
In-Reply-To: <20210802134332.033552261@linuxfoundation.org>
From: Nguyen Dinh Phi <phind.uet@gmail.com>
commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream.
When we exceed the limit of BSS entries, this function will free the
new entry, however, at this time, it is the last door to access the
inputed ies, so these ies will be unreferenced objects and cause memory
leak.
Therefore we should free its ies before deallocating the new entry, beside
of dropping it from hidden_list.
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/scan.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -947,16 +947,14 @@ cfg80211_bss_update(struct cfg80211_regi
* be grouped with this beacon for updates ...
*/
if (!cfg80211_combine_bsses(rdev, new)) {
- kfree(new);
+ bss_ref_put(rdev, new);
goto drop;
}
}
if (rdev->bss_entries >= bss_entries_limit &&
!cfg80211_bss_expire_oldest(rdev)) {
- if (!list_empty(&new->hidden_list))
- list_del(&new->hidden_list);
- kfree(new);
+ bss_ref_put(rdev, new);
goto drop;
}
next prev parent reply other threads:[~2021-08-02 13:48 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-02 13:44 [PATCH 4.4 00/26] 4.4.278-rc1 review Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 01/26] net: split out functions related to registering inflight socket files Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 02/26] af_unix: fix garbage collect vs MSG_PEEK Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 03/26] workqueue: fix UAF in pwq_unbound_release_workfn() Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 04/26] net/802/mrp: fix memleak in mrp_request_join() Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 05/26] net/802/garp: fix memleak in garp_request_join() Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 06/26] sctp: move 198 addresses from unusable to private scope Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 07/26] hfs: add missing clean-up in hfs_fill_super Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 08/26] hfs: fix high memory mapping in hfs_bnode_read Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 09/26] hfs: add lock nesting notation to hfs_find_init Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 10/26] ARM: dts: versatile: Fix up interrupt controller node names Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 11/26] lib/string.c: add multibyte memset functions Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 12/26] ARM: ensure the signal page contains defined contents Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 13/26] ocfs2: fix zero out valid data Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 14/26] ocfs2: issue zeroout to EOF blocks Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 15/26] can: usb_8dev: fix memory leak Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 16/26] can: ems_usb: " Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 17/26] can: esd_usb2: " Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 18/26] NIU: fix incorrect error return, missed in previous revert Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 19/26] x86/asm: Ensure asm/proto.h can be included stand-alone Greg Kroah-Hartman
2021-08-02 13:44 ` Greg Kroah-Hartman [this message]
2021-08-02 13:44 ` [PATCH 4.4 21/26] netfilter: nft_nat: allow to specify layer 4 protocol NAT only Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 22/26] tipc: fix sleeping in tipc accept routine Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 23/26] mlx4: Fix missing error code in mlx4_load_one() Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 24/26] net: llc: fix skb_over_panic Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 25/26] tulip: windbond-840: Fix missing pci_disable_device() in probe and remove Greg Kroah-Hartman
2021-08-02 13:44 ` [PATCH 4.4 26/26] sis900: " Greg Kroah-Hartman
2021-08-02 17:51 ` [PATCH 4.4 00/26] 4.4.278-rc1 review Pavel Machek
2021-08-03 14:57 ` Naresh Kamboju
2021-08-03 19:14 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210802134332.688930536@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=phind.uet@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).