linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] wifi: cfg80211: fix a possible memory leak
@ 2022-11-01 20:19 Dinh Nguyen
  2022-12-01 14:21 ` Johannes Berg
  0 siblings, 1 reply; 2+ messages in thread
From: Dinh Nguyen @ 2022-11-01 20:19 UTC (permalink / raw)
  To: johannes
  Cc: dinguyen, davem, edumazet, kuba, pabeni, linux-wireless, netdev,
	linux-kernel

Klockworks reported a possible memory leak when
cfg80211_inform_single_bss_data() return on an error and ies is left
allocated.

Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
---
 net/wireless/scan.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 806a5f1330ff..3c81dc17e079 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 
 	signal_valid = data->chan == channel;
 	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
-	if (!res)
+	if (!res) {
+		kfree(ies);
 		return NULL;
+	}
 
 	if (channel->band == NL80211_BAND_60GHZ) {
 		bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] wifi: cfg80211: fix a possible memory leak
  2022-11-01 20:19 [PATCH] wifi: cfg80211: fix a possible memory leak Dinh Nguyen
@ 2022-12-01 14:21 ` Johannes Berg
  0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2022-12-01 14:21 UTC (permalink / raw)
  To: Dinh Nguyen
  Cc: davem, edumazet, kuba, pabeni, linux-wireless, netdev, linux-kernel

On Tue, 2022-11-01 at 15:19 -0500, Dinh Nguyen wrote:
> Klockworks
> 
You probably mean "klocwork" :)

>  reported a possible memory leak when
> cfg80211_inform_single_bss_data() return on an error and ies is left
> allocated.
> 
> Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
> ---
>  net/wireless/scan.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 806a5f1330ff..3c81dc17e079 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
>  
>  	signal_valid = data->chan == channel;
>  	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
> -	if (!res)
> +	if (!res) {
> +		kfree(ies);
>  		return NULL;
> +	}
> 

To be honest this makes me a bit nervous - the function will take over
ownership of the tmp BSS in many cases if not all. Not saying it doesn't
have a bug, but at least one case inside of it *does* free it even in
the case of returning NULL and then you have a double-free?

So I think you didn't look at the code closely enough. Please do check
and follow up with a proper fix.

johannes

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-01 14:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-01 20:19 [PATCH] wifi: cfg80211: fix a possible memory leak Dinh Nguyen
2022-12-01 14:21 ` Johannes Berg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).