From: Nguyen Dinh Phi phind.uet@gmail.com
stable inclusion from stable-5.10.56 commit c8667cb406fdae6718e7dbd4d0b2c85ad1eb9d9d bugzilla: 176004 https://gitee.com/openeuler/kernel/issues/I4DYZ4
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit f9a5c358c8d26fed0cc45f2afc64633d4ba21dff upstream.
When we exceed the limit of BSS entries, this function will free the new entry, however, at this time, it is the last door to access the inputed ies, so these ies will be unreferenced objects and cause memory leak. Therefore we should free its ies before deallocating the new entry, beside of dropping it from hidden_list.
Signed-off-by: Nguyen Dinh Phi phind.uet@gmail.com Link: https://lore.kernel.org/r/20210628132334.851095-1-phind.uet@gmail.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Chen Jun chenjun102@huawei.com Acked-by: Weilong Chen chenweilong@huawei.com Signed-off-by: Chen Jun chenjun102@huawei.com --- net/wireless/scan.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 87fc56bc4f1e..fab1f0d50403 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1746,16 +1746,14 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev, * be grouped with this beacon for updates ... */ if (!cfg80211_combine_bsses(rdev, new)) { - kfree(new); + bss_ref_put(rdev, new); goto drop; } }
if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { - if (!list_empty(&new->hidden_list)) - list_del(&new->hidden_list); - kfree(new); + bss_ref_put(rdev, new); goto drop; }