Re: [syzbot] memory leak in cfg80211_inform_single_bss_frame_data
From: Fabio M. De Francesco
Date: Tue Oct 26 2021 - 05:27:44 EST
On Tuesday, October 26, 2021 12:33:23 AM CEST syzbot wrote:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 87066fdd2e30 Revert "mm/secretmem: use refcount_t instead
..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16b55554b00000
> kernel config: https://syzkaller.appspot.com/x/.config?x=d25eeb482b0f99b
> dashboard link: https://syzkaller.appspot.com/bug?
extid=7a942657a255a9d9b18a
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils
for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=171cf464b00000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1396b19f300000
>
> IMPORTANT: if you fix the issue, please add the following tag to the
commit:
> Reported-by: syzbot+7a942657a255a9d9b18a@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> BUG: memory leak
> unreferenced object 0xffff88810f3c7980 (size 96):
Let's try the attached diff.
Fabiodiff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 11c68b159324..e84855ea4075 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -2380,7 +2380,7 @@ cfg80211_inform_single_bss_frame_data(struct wiphy *wiphy,
capability = le16_to_cpu(mgmt->u.probe_resp.capab_info);
}
- ies = kzalloc(sizeof(*ies) + ielen, gfp);
+ ies = kzalloc(sizeof(cfg80211_bss_ies) + ielen, gfp);
if (!ies)
return NULL;
ies->len = ielen;