releases/5.10.56/cfg80211-fix-possible-memory-leak-in-function-cfg80211_bss_update.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From f9a5c358c8d26fed0cc45f2afc64633d4ba21dff Mon Sep 17 00:00:00 2001
 From: Nguyen Dinh Phi <phind.uet@gmail.com>
 Date: Mon, 28 Jun 2021 21:23:34 +0800
 Subject: cfg80211: Fix possible memory leak in function cfg80211_bss_update

 From: Nguyen Dinh Phi <phind.uet@gmail.com>

 commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream.

 When we exceed the limit of BSS entries, this function will free the
 new entry, however, at this time, it is the last door to access the
 inputed ies, so these ies will be unreferenced objects and cause memory
 leak.
 Therefore we should free its ies before deallocating the new entry, beside
 of dropping it from hidden_list.

 Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
 Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com
 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/wireless/scan.c |    6 ++----
  1 file changed, 2 insertions(+), 4 deletions(-)

 --- a/net/wireless/scan.c
 +++ b/net/wireless/scan.c
 @@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_regi
  			 * be grouped with this beacon for updates ...
  			 */
  			if (!cfg80211_combine_bsses(rdev, new)) {
 -				kfree(new);
 +				bss_ref_put(rdev, new);
  				goto drop;
  			}
  		}

  		if (rdev->bss_entries >= bss_entries_limit &&
  		    !cfg80211_bss_expire_oldest(rdev)) {
 -			if (!list_empty(&new->hidden_list))
 -				list_del(&new->hidden_list);
 -			kfree(new);
 +			bss_ref_put(rdev, new);
  			goto drop;
  		}
	From f9a5c358c8d26fed0cc45f2afc64633d4ba21dff Mon Sep 17 00:00:00 2001
	From: Nguyen Dinh Phi <phind.uet@gmail.com>
	Date: Mon, 28 Jun 2021 21:23:34 +0800
	Subject: cfg80211: Fix possible memory leak in function cfg80211_bss_update

	From: Nguyen Dinh Phi <phind.uet@gmail.com>

	commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream.

	When we exceed the limit of BSS entries, this function will free the
	new entry, however, at this time, it is the last door to access the
	inputed ies, so these ies will be unreferenced objects and cause memory
	leak.
	Therefore we should free its ies before deallocating the new entry, beside
	of dropping it from hidden_list.

	Signed-off-by: Nguyen Dinh Phi <phind.uet@gmail.com>
	Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com
	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/wireless/scan.c \| 6 ++----
	1 file changed, 2 insertions(+), 4 deletions(-)

	--- a/net/wireless/scan.c
	+++ b/net/wireless/scan.c
	@@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_regi
	* be grouped with this beacon for updates ...
	*/
	if (!cfg80211_combine_bsses(rdev, new)) {
	- kfree(new);
	+ bss_ref_put(rdev, new);
	goto drop;
	}
	}

	if (rdev->bss_entries >= bss_entries_limit &&
	!cfg80211_bss_expire_oldest(rdev)) {
	- if (!list_empty(&new->hidden_list))
	- list_del(&new->hidden_list);
	- kfree(new);
	+ bss_ref_put(rdev, new);
	goto drop;
	}