[PATCH AUTOSEL 4.14 3/9] mac80211: fix a memory leak where sta_info is not freed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ahmed Zaki <anzaki@gmail.com>,
	Johannes Berg <johannes.berg@intel.com>,
	Sasha Levin <sashal@kernel.org>,
	johannes@sipsolutions.net, davem@davemloft.net, kuba@kernel.org,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 3/9] mac80211: fix a memory leak where sta_info is not freed
Date: Mon, 20 Dec 2021 21:01:17 -0500	[thread overview]
Message-ID: <20211221020123.117380-3-sashal@kernel.org> (raw)
In-Reply-To: <20211221020123.117380-1-sashal@kernel.org>

From: Ahmed Zaki <anzaki@gmail.com>

[ Upstream commit 8f9dcc29566626f683843ccac6113a12208315ca ]

The following is from a system that went OOM due to a memory leak:

wlan0: Allocated STA 74:83:c2:64:0b:87
wlan0: Allocated STA 74:83:c2:64:0b:87
wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta)
wlan0: Adding new IBSS station 74:83:c2:64:0b:87
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
wlan0: moving STA 74:83:c2:64:0b:87 to state 3
wlan0: Inserted STA 74:83:c2:64:0b:87
wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work)
wlan0: Adding new IBSS station 74:83:c2:64:0b:87
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
wlan0: moving STA 74:83:c2:64:0b:87 to state 3
.
.
wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
wlan0: moving STA 74:83:c2:64:0b:87 to state 1
wlan0: Removed STA 74:83:c2:64:0b:87
wlan0: Destroyed STA 74:83:c2:64:0b:87

The ieee80211_ibss_finish_sta() is called twice on the same STA from 2
different locations. On the second attempt, the allocated STA is not
destroyed creating a kernel memory leak.

This is happening because sta_info_insert_finish() does not call
sta_info_free() the second time when the STA already exists (returns
-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is
destroyed upon errors.

Same fix is applied to -ENOMEM.

Signed-off-by: Ahmed Zaki <anzaki@gmail.com>
Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com
[change the error path label to use the existing code]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/sta_info.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 0d5265adf5396..764175c0222dd 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -554,13 +554,13 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
 	/* check if STA exists already */
 	if (sta_info_get_bss(sdata, sta->sta.addr)) {
 		err = -EEXIST;
-		goto out_err;
+		goto out_cleanup;
 	}

 	sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL);
 	if (!sinfo) {
 		err = -ENOMEM;
-		goto out_err;
+		goto out_cleanup;
 	}

 	local->num_sta++;
@@ -609,8 +609,8 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
  out_drop_sta:
 	local->num_sta--;
 	synchronize_net();
+ out_cleanup:
 	cleanup_single_sta(sta);
- out_err:
 	mutex_unlock(&local->sta_mtx);
 	kfree(sinfo);
 	rcu_read_lock();
-- 
2.34.1

next prev parent reply	other threads:[~2021-12-21  2:03 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-21  2:01 [PATCH AUTOSEL 4.14 1/9] ARM: rockchip: Use memcpy_toio instead of memcpy on smp bring-up Sasha Levin
2021-12-21  2:01 ` Sasha Levin
2021-12-21  2:01 ` Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 2/9] mac80211: set up the fwd_skb->dev for mesh forwarding Sasha Levin
2021-12-21  2:01   ` Sasha Levin
2021-12-21  2:01   ` Sasha Levin
2021-12-21  2:01 ` Sasha Levin [this message]
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 4/9] phonet: refcount leak in pep_sock_accep Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 5/9] net: bcmgenet: Fix NULL vs IS_ERR() checking Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 6/9] mac80211: Fix the size used for building probe request Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 7/9] block: reduce kblockd_mod_delayed_work_on() CPU consumption Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 8/9] net: usb: lan78xx: add Allied Telesis AT29M2-AF Sasha Levin
2021-12-21  2:01 ` [PATCH AUTOSEL 4.14 9/9] Revert "block: reduce kblockd_mod_delayed_work_on() CPU consumption" Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0d5265adf539 dfblob:764175c0222d )
 OR (
bs:"[PATCH AUTOSEL 4.14 3/9] mac80211: fix a memory leak where sta_info is not freed" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211221020123.117380-3-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=anzaki@gmail.com \
    --cc=davem@davemloft.net \
    --cc=johannes.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.