Message ID | 20221101201931.119136-1-dinguyen@kernel.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp3187587wru; Tue, 1 Nov 2022 13:20:33 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5eAzNYlqa7duwFUNsUy07hlDynNoXDkzXd8uAJ4CyJLyLL1mJY2uN0B5IBoNHzmFfBMODC X-Received: by 2002:a17:906:846b:b0:7ad:88f8:469a with SMTP id hx11-20020a170906846b00b007ad88f8469amr19978730ejc.519.1667334033452; Tue, 01 Nov 2022 13:20:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667334033; cv=none; d=google.com; s=arc-20160816; b=1Hsry0+JS8rGyyJdo7w9YNeBqBmrhSSw4Rtvw7dj5IHrr6wyBq2HPr4ZeFdqkUJyUy PtU5vrg3AZRoROGyesh/xObhvNwtlMBUq/bVGO0LmEK83rWtmJwfo6ufsSErYe5mJuSC 7jUZo5IYYoikZ9OIxbrIZ1g3+s5znofQnKtoquFE/un4M+ifAFKBDyihK5C5UvkdT90n C+hup/bDnmAnzpDlfRRL+OwpJYDpaOKkO34s73Kvc4XYDdlrh6Bdugd39xr/fHDqyhOM bPDTlfN2y3wR99NA62C/fkjPnwkF9GRwfgU/zKzxf/qB7MOfFBINqUIYKJ7EF8oK/CEZ xOdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=IHkip9w+F2N2BQv7YMQX3jlG+FBWN8UiJS6eIFAJVXA=; b=Cjimxro5dBNrw4E1xuDmKJn5brESv8m0ScWwKH8Ok0uAUQzhn31169zoP7glgtVpuS uH2UVQqJ63Eqdj3d5zOksoq0AMB0eQl5mB04fkb2yghj1SfLTHyT/FzSoNt1/g4GCUYP ATr5N5OGeqxl2v3i2mSym7eB0lve/ln8kIQ+WDFxIfSm2VJB2AO70C3mjBYTFTlfxLpA X/EgzkBqC+DSAjwGvaZmus2mwqAVJgea1qfZmZe7rzFMhq6d02kt/auEnad4GthWG2f6 cSejOxE5B2jd7c1KaSOI1BYHMQZB8r2H4ePfUgkX83PWu9nySllYazsZkYsM2zxh4nNj Z9qA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tbggohFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id wt5-20020a170906ee8500b0073c14b6560bsi12688488ejb.177.2022.11.01.13.20.09; Tue, 01 Nov 2022 13:20:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tbggohFd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230249AbiKAUTs (ORCPT <rfc822;kartikey406@gmail.com> + 99 others); Tue, 1 Nov 2022 16:19:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57332 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230235AbiKAUTq (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 1 Nov 2022 16:19:46 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EB31962DD; Tue, 1 Nov 2022 13:19:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9EA9DB81EAC; Tue, 1 Nov 2022 20:19:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 37A65C433C1; Tue, 1 Nov 2022 20:19:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1667333983; bh=u9GEg3aVkZhSlBq5l4HhWxMmMTW6emU2oZ1Zd97ij5I=; h=From:To:Cc:Subject:Date:From; b=tbggohFdWsmd4HDsXgf1oWM9rmbjwU6yjS9gQ8wS0g8hNZROzvhQuUR2U8ca+u9QJ TUfaU5WChMrwRajFJRYojgYSdnZpxojTHOjX9MnzFx0+gSMdqnkt+ChkBhNxOKwo8G Na9u3QsgXXlXT267sBNuprRR8y5f/HBj6x9VzQ56NqGOdtQ3RB19zQ9g6xAPfHDDfe Q5oKUydPQS8epo7vL1j5gmakacC/MlCxaXdXCxi9J4iicg27PoeYUEqxDWNvQKJU+4 tHg2apVnLSRTmH0KRicdpnAfTjjrH9pz4tYZFuB7go0J3YagkhZ5veRpa6z+BSmwuH N1/cDHCvHsIqQ== From: Dinh Nguyen <dinguyen@kernel.org> To: johannes@sipsolutions.net Cc: dinguyen@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] wifi: cfg80211: fix a possible memory leak Date: Tue, 1 Nov 2022 15:19:31 -0500 Message-Id: <20221101201931.119136-1-dinguyen@kernel.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748326451672725068?= X-GMAIL-MSGID: =?utf-8?q?1748326451672725068?= |
Series |
wifi: cfg80211: fix a possible memory leak
|
|
Commit Message
Dinh Nguyen
Nov. 1, 2022, 8:19 p.m. UTC
Klockworks reported a possible memory leak when
cfg80211_inform_single_bss_data() return on an error and ies is left
allocated.
Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
---
net/wireless/scan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
Comments
On Tue, 2022-11-01 at 15:19 -0500, Dinh Nguyen wrote: > Klockworks > You probably mean "klocwork" :) > reported a possible memory leak when > cfg80211_inform_single_bss_data() return on an error and ies is left > allocated. > > Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data") > Signed-off-by: Dinh Nguyen <dinguyen@kernel.org> > --- > net/wireless/scan.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/wireless/scan.c b/net/wireless/scan.c > index 806a5f1330ff..3c81dc17e079 100644 > --- a/net/wireless/scan.c > +++ b/net/wireless/scan.c > @@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, > > signal_valid = data->chan == channel; > res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts); > - if (!res) > + if (!res) { > + kfree(ies); > return NULL; > + } > To be honest this makes me a bit nervous - the function will take over ownership of the tmp BSS in many cases if not all. Not saying it doesn't have a bug, but at least one case inside of it *does* free it even in the case of returning NULL and then you have a double-free? So I think you didn't look at the code closely enough. Please do check and follow up with a proper fix. johannes
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 806a5f1330ff..3c81dc17e079 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy, signal_valid = data->chan == channel; res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts); - if (!res) + if (!res) { + kfree(ies); return NULL; + } if (channel->band == NL80211_BAND_60GHZ) { bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;