From: Greg Kroah-Hartman Date: Mon, 15 Aug 2022 13:00:58 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.15.61~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7351204185a383c46e06effaa30bcf025b64835;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch --- diff --git a/queue-5.10/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch b/queue-5.10/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch new file mode 100644 index 00000000000..1f1f3178717 --- /dev/null +++ b/queue-5.10/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch @@ -0,0 +1,79 @@ +From 8f9dcc29566626f683843ccac6113a12208315ca Mon Sep 17 00:00:00 2001 +From: Ahmed Zaki +Date: Sat, 2 Oct 2021 08:53:29 -0600 +Subject: mac80211: fix a memory leak where sta_info is not freed + +From: Ahmed Zaki + +commit 8f9dcc29566626f683843ccac6113a12208315ca upstream. + +The following is from a system that went OOM due to a memory leak: + +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +wlan0: Inserted STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +. +. +wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 1 +wlan0: Removed STA 74:83:c2:64:0b:87 +wlan0: Destroyed STA 74:83:c2:64:0b:87 + +The ieee80211_ibss_finish_sta() is called twice on the same STA from 2 +different locations. On the second attempt, the allocated STA is not +destroyed creating a kernel memory leak. + +This is happening because sta_info_insert_finish() does not call +sta_info_free() the second time when the STA already exists (returns +-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is +destroyed upon errors. + +Same fix is applied to -ENOMEM. + +Signed-off-by: Ahmed Zaki +Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com +[change the error path label to use the existing code] +Signed-off-by: Johannes Berg +Signed-off-by: Viacheslav Sablin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -645,13 +645,13 @@ static int sta_info_insert_finish(struct + /* check if STA exists already */ + if (sta_info_get_bss(sdata, sta->sta.addr)) { + err = -EEXIST; +- goto out_err; ++ goto out_cleanup; + } + + sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL); + if (!sinfo) { + err = -ENOMEM; +- goto out_err; ++ goto out_cleanup; + } + + local->num_sta++; +@@ -707,8 +707,8 @@ static int sta_info_insert_finish(struct + out_drop_sta: + local->num_sta--; + synchronize_net(); ++ out_cleanup: + cleanup_single_sta(sta); +- out_err: + mutex_unlock(&local->sta_mtx); + kfree(sinfo); + rcu_read_lock(); diff --git a/queue-5.10/series b/queue-5.10/series index e8cc5500104..d98ba853ab8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -537,3 +537,4 @@ arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch kvm-add-infrastructure-and-macro-to-mark-vm-as-bugged.patch kvm-x86-check-lapic_in_kernel-before-attempting-to-set-a-synic-irq.patch kvm-x86-avoid-theoretical-null-pointer-dereference-in-kvm_irq_delivery_to_apic_fast.patch +mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch