brcmfmac: fix memory leak in brcmf_fill_bss_param

Message ID	20160921062327.28729-1-zajec5@gmail.com (mailing list archive)
State	Accepted
Commit	23e9c128adb2038c27a424a5f91136e7fa3e0dc6
Delegated to:	Kalle Valo
Headers	show Return-Path: <linux-wireless-owner@kernel.org> From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com> To: Kalle Valo <kvalo@codeaurora.org> Cc: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>, Arend van Spriel <arend.vanspriel@broadcom.com>, Franky Lin <franky.lin@broadcom.com>, Hante Meuleman <hante.meuleman@broadcom.com>, Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>, "Franky (Zhenhui) Lin" <frankyl@broadcom.com>, linux-wireless@vger.kernel.org (open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER), brcm80211-dev-list.pdl@broadcom.com (open list:BROADCOM BRCM80211 IEEE802.11n WIRELESS DRIVER), netdev@vger.kernel.org (open list:NETWORKING DRIVERS), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] brcmfmac: fix memory leak in brcmf_fill_bss_param Date: Wed, 21 Sep 2016 08:23:24 +0200 Message-Id: <20160921062327.28729-1-zajec5@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

20160921062327.28729-1-zajec5@gmail.com (mailing list archive)

State

Accepted

Commit

23e9c128adb2038c27a424a5f91136e7fa3e0dc6

Delegated to:

Kalle Valo

Headers

show

Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	BA11C607D0 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 21 Sep 2016 06:24:29 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A136B29EC4
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 21 Sep 2016 06:24:29 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 958E029F75; Wed, 21 Sep 2016 06:24:29 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7F5FD29EC4
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 21 Sep 2016 06:24:28 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753564AbcIUGYL (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Wed, 21 Sep 2016 02:24:11 -0400
Received: from mail-lf0-f66.google.com ([209.85.215.66]:33854 "EHLO
	mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751550AbcIUGYJ (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Wed, 21 Sep 2016 02:24:09 -0400
Received: by mail-lf0-f66.google.com with SMTP id b71so1096744lfg.1;
	Tue, 20 Sep 2016 23:24:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=mQKDR1BxsyuvRFNVr+iA+4yAhjW812PIRje2qvrrXeI=;
	b=vUQQv7Jgj1aW/SLFgkiXtbQYH6Q0Ir6At6fD8aInquFvgMQivN8zRPsl2r4/qGRRM9
	zGDjqKouYdxSN2H5mb87Fd6oirMx005FqVKYoTq73M1yKu+l94unNab2GiqZoaEGiFtu
	q1UcDLLOtwrrviGEpK5BI2YZy9eZb5xXVWQMqzQ9bGlY7cre92yx7vsmLHjLDl1E5Guz
	FBtmgNGGaehE+Fh6eZQpFogPMhF5ge9seqZol3Q+MVSnJO3Kc4JGJH5aH/j1yBFA7HXW
	at5LnWFweVWFLQUu5zVTpcbRhWrc7edXeL5nzBTtEpJlXYHZjXLmmPybt8ed8ZDfPE5s
	io5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
	:content-transfer-encoding;
	bh=mQKDR1BxsyuvRFNVr+iA+4yAhjW812PIRje2qvrrXeI=;
	b=ADQfKzswnC/HT570iFqqcrGuBUzmwqb0oTh7JLc7x5zZeUjgicQDqiy/4UHX51z2F7
	HERzF9zxKo9uiW3W9BoCvmLURyvfyy4BrTplCTet/Dp6pRqQ7gBbeaEFGkFG1EhYZL9x
	ASivvH9j667zHebaEBWBc0rjFU2gZz41eYKh8Ij7FQHNAiaPuzyZHtAnRiXNygzjbq8f
	GQ9DD9Y5Ubvj6ddlpQc1PBkxhWaCf2OPYPnMRyn2Q3EaByppF2VH/8ghnlphmB2wAjkI
	PmS1kUsHDzNApbBtQGj4oOiLBVFoQ2aI7SQsHIkpJQqQWoLo4n/Uis4ZnFpXLHxaDyxB
	E4wg==
X-Gm-Message-State: AE9vXwP+2Gh+GDEzZquIO3XNYjaHSqTmrg1GTTuvugnbLZhEUTqRCMkBDtDEBps/lvjNrQ==
X-Received: by 10.25.17.224 with SMTP id 93mr14933293lfr.77.1474439046988;
	Tue, 20 Sep 2016 23:24:06 -0700 (PDT)
Received: from linux-samsung.lan
	(ip-194-187-74-233.konfederacka.maverick.com.pl. [194.187.74.233])
	by smtp.gmail.com with ESMTPSA id
	u70sm6273525lja.15.2016.09.20.23.24.05
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 20 Sep 2016 23:24:05 -0700 (PDT)
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>,
	Arend van Spriel <arend.vanspriel@broadcom.com>,
	Franky Lin <franky.lin@broadcom.com>,
	Hante Meuleman <hante.meuleman@broadcom.com>,
	Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
	"Franky (Zhenhui) Lin" <frankyl@broadcom.com>,
	linux-wireless@vger.kernel.org (open list:BROADCOM BRCM80211
	IEEE802.11n WIRELESS DRIVER),
	brcm80211-dev-list.pdl@broadcom.com (open list:BROADCOM BRCM80211
	IEEE802.11n WIRELESS DRIVER),
	netdev@vger.kernel.org (open list:NETWORKING DRIVERS),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] brcmfmac: fix memory leak in brcmf_fill_bss_param
Date: Wed, 21 Sep 2016 08:23:24 +0200
Message-Id: <20160921062327.28729-1-zajec5@gmail.com>
X-Mailer: git-send-email 2.9.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Commit Message

Rafał Miłecki Sept. 21, 2016, 6:23 a.m. UTC

From: Rafał Miłecki <rafal@milecki.pl>

This function is called from get_station callback which means that every
time user space was getting/dumping station(s) we were leaking 2 KiB.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
Cc: stable@vger.kernel.org # 4.2+
---
Kalle, ideally this should go as 4.8 fix, but I'm aware it's quite late.
If you are not planning to send another pull request, just get it for
the next release and let's let stable guys backport it.
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Arend van Spriel Sept. 23, 2016, 9:15 a.m. UTC | #1

On 21-9-2016 8:23, Rafał Miłecki wrote:
> From: Rafał Miłecki <rafal@milecki.pl>
> 
> This function is called from get_station callback which means that every
> time user space was getting/dumping station(s) we were leaking 2 KiB.
> 

Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
> Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
> Cc: stable@vger.kernel.org # 4.2+
> ---
> Kalle, ideally this should go as 4.8 fix, but I'm aware it's quite late.
> If you are not planning to send another pull request, just get it for
> the next release and let's let stable guys backport it.
> ---
>  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index b8aec5e5..62a7675 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -2533,7 +2533,7 @@ static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
>  				     WL_BSS_INFO_MAX);
>  	if (err) {
>  		brcmf_err("Failed to get bss info (%d)\n", err);
> -		return;
> +		goto out_kfree;
>  	}
>  	si->filled |= BIT(NL80211_STA_INFO_BSS_PARAM);
>  	si->bss_param.beacon_interval = le16_to_cpu(buf->bss_le.beacon_period);
> @@ -2545,6 +2545,9 @@ static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
>  		si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
>  	if (capability & WLAN_CAPABILITY_SHORT_SLOT_TIME)
>  		si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
> +
> +out_kfree:
> +	kfree(buf);
>  }
>  
>  static s32
>

Kalle Valo Sept. 24, 2016, 10:27 a.m. UTC | #2

Rafał Miłecki <zajec5@gmail.com> writes:

> From: Rafał Miłecki <rafal@milecki.pl>
>
> This function is called from get_station callback which means that every
> time user space was getting/dumping station(s) we were leaking 2 KiB.
>
> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
> Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
> Cc: stable@vger.kernel.org # 4.2+
> ---
> Kalle, ideally this should go as 4.8 fix, but I'm aware it's quite late.
> If you are not planning to send another pull request, just get it for
> the next release and let's let stable guys backport it.

An old memory leak is not severe enough for 4.8 at this stage, so I'll
queue this to 4.9.

BTW, either my Gnus or my SMTP server (I haven't bothered to check yet
why exactly) don't like the names with style of "(open list:NETWORKING
DRIVERS)" in the CC list, I have to edit them away everytime I reply.
Does anyone have any ideas why that's happening just to me?

Kalle Valo Sept. 26, 2016, 5:49 p.m. UTC | #3

Rafał Miłecki wrote:
> From: Rafał Miłecki <rafal@milecki.pl>
> 
> This function is called from get_station callback which means that every
> time user space was getting/dumping station(s) we were leaking 2 KiB.
> 
> Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
> Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
> Cc: stable@vger.kernel.org # 4.2+
> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>

Patch applied to wireless-drivers-next.git, thanks.

23e9c128adb2 brcmfmac: fix memory leak in brcmf_fill_bss_param

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index b8aec5e5..62a7675 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -2533,7 +2533,7 @@  static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
 				     WL_BSS_INFO_MAX);
 	if (err) {
 		brcmf_err("Failed to get bss info (%d)\n", err);
-		return;
+		goto out_kfree;
 	}
 	si->filled |= BIT(NL80211_STA_INFO_BSS_PARAM);
 	si->bss_param.beacon_interval = le16_to_cpu(buf->bss_le.beacon_period);
@@ -2545,6 +2545,9 @@  static void brcmf_fill_bss_param(struct brcmf_if *ifp, struct station_info *si)
 		si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
 	if (capability & WLAN_CAPABILITY_SHORT_SLOT_TIME)
 		si->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
+
+out_kfree:
+	kfree(buf);
 }
 
 static s32