From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Viacheslav Sablin <sablin@ispras.ru>
Cc: stable@vger.kernel.org, Ahmed Zaki <anzaki@gmail.com>,
Johannes Berg <johannes.berg@intel.com>,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
ldv-project@linuxtesting.org
Subject: Re: [PATCH 5.10 1/1] mac80211: fix a memory leak where sta_info is not freed
Date: Mon, 15 Aug 2022 15:01:19 +0200 [thread overview]
Message-ID: <YvpDn9qqS2wee4Ky@kroah.com> (raw)
In-Reply-To: <20220809160245.29232-2-sablin@ispras.ru>
On Tue, Aug 09, 2022 at 07:02:45PM +0300, Viacheslav Sablin wrote:
> From: Ahmed Zaki <anzaki@gmail.com>
>
> commit 8f9dcc29566626f683843ccac6113a12208315ca upstream.
>
> The following is from a system that went OOM due to a memory leak:
>
> wlan0: Allocated STA 74:83:c2:64:0b:87
> wlan0: Allocated STA 74:83:c2:64:0b:87
> wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta)
> wlan0: Adding new IBSS station 74:83:c2:64:0b:87
> wlan0: moving STA 74:83:c2:64:0b:87 to state 2
> wlan0: moving STA 74:83:c2:64:0b:87 to state 3
> wlan0: Inserted STA 74:83:c2:64:0b:87
> wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work)
> wlan0: Adding new IBSS station 74:83:c2:64:0b:87
> wlan0: moving STA 74:83:c2:64:0b:87 to state 2
> wlan0: moving STA 74:83:c2:64:0b:87 to state 3
> .
> .
> wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87
> wlan0: moving STA 74:83:c2:64:0b:87 to state 2
> wlan0: moving STA 74:83:c2:64:0b:87 to state 1
> wlan0: Removed STA 74:83:c2:64:0b:87
> wlan0: Destroyed STA 74:83:c2:64:0b:87
>
> The ieee80211_ibss_finish_sta() is called twice on the same STA from 2
> different locations. On the second attempt, the allocated STA is not
> destroyed creating a kernel memory leak.
>
> This is happening because sta_info_insert_finish() does not call
> sta_info_free() the second time when the STA already exists (returns
> -EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is
> destroyed upon errors.
>
> Same fix is applied to -ENOMEM.
>
> Signed-off-by: Ahmed Zaki <anzaki@gmail.com>
> Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com
> [change the error path label to use the existing code]
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> Signed-off-by: Viacheslav Sablin <sablin@ispras.ru>
> ---
> net/mac80211/sta_info.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
This is also needed in 5.15.y, so added there as well. thanks,
greg k-h
prev parent reply other threads:[~2022-08-15 13:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 16:02 [PATCH 5.10 0/1] mac80211: fix a memory leak where sta_info is not freed Viacheslav Sablin
2022-08-09 16:02 ` [PATCH 5.10 1/1] " Viacheslav Sablin
2022-08-15 13:01 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvpDn9qqS2wee4Ky@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=anzaki@gmail.com \
--cc=johannes.berg@intel.com \
--cc=khoroshilov@ispras.ru \
--cc=ldv-project@linuxtesting.org \
--cc=sablin@ispras.ru \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.