From: Greg Kroah-Hartman Date: Mon, 15 Aug 2022 13:01:07 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v5.15.61~51 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2eedb7897284b0ba8b4b23c91b44126a40cecd70;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch --- diff --git a/queue-5.15/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch b/queue-5.15/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch new file mode 100644 index 00000000000..b8d19deaf8a --- /dev/null +++ b/queue-5.15/mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch @@ -0,0 +1,79 @@ +From 8f9dcc29566626f683843ccac6113a12208315ca Mon Sep 17 00:00:00 2001 +From: Ahmed Zaki +Date: Sat, 2 Oct 2021 08:53:29 -0600 +Subject: mac80211: fix a memory leak where sta_info is not freed + +From: Ahmed Zaki + +commit 8f9dcc29566626f683843ccac6113a12208315ca upstream. + +The following is from a system that went OOM due to a memory leak: + +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +wlan0: Inserted STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +. +. +wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 1 +wlan0: Removed STA 74:83:c2:64:0b:87 +wlan0: Destroyed STA 74:83:c2:64:0b:87 + +The ieee80211_ibss_finish_sta() is called twice on the same STA from 2 +different locations. On the second attempt, the allocated STA is not +destroyed creating a kernel memory leak. + +This is happening because sta_info_insert_finish() does not call +sta_info_free() the second time when the STA already exists (returns +-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is +destroyed upon errors. + +Same fix is applied to -ENOMEM. + +Signed-off-by: Ahmed Zaki +Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com +[change the error path label to use the existing code] +Signed-off-by: Johannes Berg +Signed-off-by: Viacheslav Sablin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -641,13 +641,13 @@ static int sta_info_insert_finish(struct + /* check if STA exists already */ + if (sta_info_get_bss(sdata, sta->sta.addr)) { + err = -EEXIST; +- goto out_err; ++ goto out_cleanup; + } + + sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL); + if (!sinfo) { + err = -ENOMEM; +- goto out_err; ++ goto out_cleanup; + } + + local->num_sta++; +@@ -703,8 +703,8 @@ static int sta_info_insert_finish(struct + out_drop_sta: + local->num_sta--; + synchronize_net(); ++ out_cleanup: + cleanup_single_sta(sta); +- out_err: + mutex_unlock(&local->sta_mtx); + kfree(sinfo); + rcu_read_lock(); diff --git a/queue-5.15/series b/queue-5.15/series index f1c17bed422..704159e20a9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -761,3 +761,4 @@ powerpc-fix-eh-field-when-calling-lwarx-on-ppc32.patch tracing-use-a-struct-alignof-to-determine-trace-event-field-alignment.patch net_sched-cls_route-remove-from-list-when-handle-is-0.patch arm64-kexec_file-use-more-system-keyrings-to-verify-kernel-image-signature.patch +mac80211-fix-a-memory-leak-where-sta_info-is-not-freed.patch