diff mbox series

wifi: cfg80211: fix a possible memory leak

Message ID 20221101201931.119136-1-dinguyen@kernel.org (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series wifi: cfg80211: fix a possible memory leak | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1 this patch: 1
netdev/cc_maintainers success CCed 7 of 7 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1 this patch: 1
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Dinh Nguyen Nov. 1, 2022, 8:19 p.m. UTC 
Klockworks reported a possible memory leak when
cfg80211_inform_single_bss_data() return on an error and ies is left
allocated.

Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
---
 net/wireless/scan.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Johannes Berg Dec. 1, 2022, 2:21 p.m. UTC | #1 
On Tue, 2022-11-01 at 15:19 -0500, Dinh Nguyen wrote:
> Klockworks
> 
You probably mean "klocwork" :)

>  reported a possible memory leak when
> cfg80211_inform_single_bss_data() return on an error and ies is left
> allocated.
> 
> Fixes: 0e227084aee3 ("cfg80211: clarify BSS probe response vs. beacon data")
> Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
> ---
>  net/wireless/scan.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/wireless/scan.c b/net/wireless/scan.c
> index 806a5f1330ff..3c81dc17e079 100644
> --- a/net/wireless/scan.c
> +++ b/net/wireless/scan.c
> @@ -2015,8 +2015,10 @@ cfg80211_inform_single_bss_data(struct wiphy *wiphy,
>  
>  	signal_valid = data->chan == channel;
>  	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
> -	if (!res)
> +	if (!res) {
> +		kfree(ies);
>  		return NULL;
> +	}
> 

To be honest this makes me a bit nervous - the function will take over
ownership of the tmp BSS in many cases if not all. Not saying it doesn't
have a bug, but at least one case inside of it *does* free it even in
the case of returning NULL and then you have a double-free?

So I think you didn't look at the code closely enough. Please do check
and follow up with a proper fix.

johannes
diff mbox series

Patch

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 806a5f1330ff..3c81dc17e079 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2015,8 +2015,10 @@  cfg80211_inform_single_bss_data(struct wiphy *wiphy,
 
 	signal_valid = data->chan == channel;
 	res = cfg80211_bss_update(wiphy_to_rdev(wiphy), &tmp, signal_valid, ts);
-	if (!res)
+	if (!res) {
+		kfree(ies);
 		return NULL;
+	}
 
 	if (channel->band == NL80211_BAND_60GHZ) {
 		bss_type = res->pub.capability & WLAN_CAPABILITY_DMG_TYPE_MASK;