1 |
From f9a5c358c8d26fed0cc45f2afc64633d4ba21dff Mon Sep 17 00:00:00 2001 |
2 |
From: Nguyen Dinh Phi <phind.uet@gmail.com> |
3 |
Date: Mon, 28 Jun 2021 21:23:34 +0800 |
4 |
Subject: cfg80211: Fix possible memory leak in function cfg80211_bss_update |
5 |
|
6 |
From: Nguyen Dinh Phi <phind.uet@gmail.com> |
7 |
|
8 |
commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. |
9 |
|
10 |
When we exceed the limit of BSS entries, this function will free the |
11 |
new entry, however, at this time, it is the last door to access the |
12 |
inputed ies, so these ies will be unreferenced objects and cause memory |
13 |
leak. |
14 |
Therefore we should free its ies before deallocating the new entry, beside |
15 |
of dropping it from hidden_list. |
16 |
|
17 |
Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> |
18 |
Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com |
19 |
Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
20 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
21 |
--- |
22 |
net/wireless/scan.c | 6 ++---- |
23 |
1 file changed, 2 insertions(+), 4 deletions(-) |
24 |
|
25 |
--- a/net/wireless/scan.c |
26 |
+++ b/net/wireless/scan.c |
27 |
@@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_regi |
28 |
* be grouped with this beacon for updates ... |
29 |
*/ |
30 |
if (!cfg80211_combine_bsses(rdev, new)) { |
31 |
- kfree(new); |
32 |
+ bss_ref_put(rdev, new); |
33 |
goto drop; |
34 |
} |
35 |
} |
36 |
|
37 |
if (rdev->bss_entries >= bss_entries_limit && |
38 |
!cfg80211_bss_expire_oldest(rdev)) { |
39 |
- if (!list_empty(&new->hidden_list)) |
40 |
- list_del(&new->hidden_list); |
41 |
- kfree(new); |
42 |
+ bss_ref_put(rdev, new); |
43 |
goto drop; |
44 |
} |
45 |
|