| From f9a5c358c8d26fed0cc45f2afc64633d4ba21dff Mon Sep 17 00:00:00 2001 |
| From: Nguyen Dinh Phi <phind.uet@gmail.com> |
| Date: Mon, 28 Jun 2021 21:23:34 +0800 |
| Subject: cfg80211: Fix possible memory leak in function cfg80211_bss_update |
| |
| From: Nguyen Dinh Phi <phind.uet@gmail.com> |
| |
| commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream. |
| |
| When we exceed the limit of BSS entries, this function will free the |
| new entry, however, at this time, it is the last door to access the |
| inputed ies, so these ies will be unreferenced objects and cause memory |
| leak. |
| Therefore we should free its ies before deallocating the new entry, beside |
| of dropping it from hidden_list. |
| |
| Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com> |
| Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com |
| Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/wireless/scan.c | 6 ++---- |
| 1 file changed, 2 insertions(+), 4 deletions(-) |
| |
| --- a/net/wireless/scan.c |
| +++ b/net/wireless/scan.c |
| @@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_regi |
| * be grouped with this beacon for updates ... |
| */ |
| if (!cfg80211_combine_bsses(rdev, new)) { |
| - kfree(new); |
| + bss_ref_put(rdev, new); |
| goto drop; |
| } |
| } |
| |
| if (rdev->bss_entries >= bss_entries_limit && |
| !cfg80211_bss_expire_oldest(rdev)) { |
| - if (!list_empty(&new->hidden_list)) |
| - list_del(&new->hidden_list); |
| - kfree(new); |
| + bss_ref_put(rdev, new); |
| goto drop; |
| } |
| |