From: Dan Carpenter <dan.carpenter@oracle.com>
To: johannes.berg@intel.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] cfg80211: limit scan results cache size
Date: Tue, 13 Apr 2021 13:53:18 +0300 [thread overview]
Message-ID: <YHV4Hkq+D9iyEecx@mwanda> (raw)
Hello Johannes Berg,
The patch 9853a55ef1bb: "cfg80211: limit scan results cache size"
from Nov 15, 2016, leads to the following static checker warning:
net/wireless/scan.c:1754 cfg80211_bss_update()
warn: '&new->hidden_list' not removed from list
net/wireless/scan.c
1721 memcpy(new, tmp, sizeof(*new));
1722 new->refcount = 1;
1723 INIT_LIST_HEAD(&new->hidden_list);
1724 INIT_LIST_HEAD(&new->pub.nontrans_list);
1725
1726 if (rcu_access_pointer(tmp->pub.proberesp_ies)) {
1727 hidden = rb_find_bss(rdev, tmp, BSS_CMP_HIDE_ZLEN);
1728 if (!hidden)
1729 hidden = rb_find_bss(rdev, tmp,
1730 BSS_CMP_HIDE_NUL);
1731 if (hidden) {
1732 new->pub.hidden_beacon_bss = &hidden->pub;
1733 list_add(&new->hidden_list,
^^^^^^^^^^^^^^^^^
1734 &hidden->hidden_list);
^^^^^^^^^^^^^^^^^^^^
"new" gets added to the list
1735 hidden->refcount++;
^^^^^^^^^^^^^^^^^^^
1736 rcu_assign_pointer(new->pub.beacon_ies,
1737 hidden->pub.beacon_ies);
1738 }
1739 } else {
1740 /*
1741 * Ok so we found a beacon, and don't have an entry. If
1742 * it's a beacon with hidden SSID, we might be in for an
1743 * expensive search for any probe responses that should
1744 * be grouped with this beacon for updates ...
1745 */
1746 if (!cfg80211_combine_bsses(rdev, new)) {
1747 kfree(new);
1748 goto drop;
1749 }
1750 }
1751
1752 if (rdev->bss_entries >= bss_entries_limit &&
1753 !cfg80211_bss_expire_oldest(rdev)) {
1754 kfree(new);
^^^^^^^^^^
It seems like it's still on the list when we free "new" leading to a
use after free.
1755 goto drop;
1756 }
regards,
dan carpenter
reply other threads:[~2021-04-13 10:53 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHV4Hkq+D9iyEecx@mwanda \
--to=dan.carpenter@oracle.com \
--cc=johannes.berg@intel.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox