Skip to content

Commit 31c5e92

Browse files
benzeajmberg-intel
benzea
authored and
jmberg-intel
committed
wifi: cfg80211: ensure cfg80211_bss_update frees IEs on error
cfg80211_bss_update is expected to consume the IEs that are passed into it in the temporary internal BSS. This did not happen in some error cases (which are also WARN_ON paths), so change the code to use a common label and use that everywhere. Signed-off-by: Benjamin Berg <[email protected]> Reviewed-by: Johannes Berg <[email protected]> Signed-off-by: Miri Korenblit <[email protected]> Link: https://msgid.link/20231220133549.8e72ea105e17.Ic81e9431e980419360e97502ce8c75c58793f05a@changeid Signed-off-by: Johannes Berg <[email protected]>
1 parent 32af9a9 commit 31c5e92

File tree

1 file changed

+16
-14
lines changed

1 file changed

+16
-14
lines changed

net/wireless/scan.c

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1818,15 +1818,15 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
18181818
bool signal_valid, unsigned long ts)
18191819
{
18201820
struct cfg80211_internal_bss *found = NULL;
1821+
struct cfg80211_bss_ies *ies;
18211822

18221823
if (WARN_ON(!tmp->pub.channel))
1823-
return NULL;
1824+
goto free_ies;
18241825

18251826
tmp->ts = ts;
18261827

1827-
if (WARN_ON(!rcu_access_pointer(tmp->pub.ies))) {
1828-
return NULL;
1829-
}
1828+
if (WARN_ON(!rcu_access_pointer(tmp->pub.ies)))
1829+
goto free_ies;
18301830

18311831
found = rb_find_bss(rdev, tmp, BSS_CMP_REGULAR);
18321832

@@ -1836,7 +1836,6 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
18361836
} else {
18371837
struct cfg80211_internal_bss *new;
18381838
struct cfg80211_internal_bss *hidden;
1839-
struct cfg80211_bss_ies *ies;
18401839

18411840
/*
18421841
* create a copy -- the "res" variable that is passed in
@@ -1845,15 +1844,8 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
18451844
*/
18461845
new = kzalloc(sizeof(*new) + rdev->wiphy.bss_priv_size,
18471846
GFP_ATOMIC);
1848-
if (!new) {
1849-
ies = (void *)rcu_dereference(tmp->pub.beacon_ies);
1850-
if (ies)
1851-
kfree_rcu(ies, rcu_head);
1852-
ies = (void *)rcu_dereference(tmp->pub.proberesp_ies);
1853-
if (ies)
1854-
kfree_rcu(ies, rcu_head);
1855-
return NULL;
1856-
}
1847+
if (!new)
1848+
goto free_ies;
18571849
memcpy(new, tmp, sizeof(*new));
18581850
new->refcount = 1;
18591851
INIT_LIST_HEAD(&new->hidden_list);
@@ -1913,6 +1905,16 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
19131905
bss_ref_get(rdev, found);
19141906

19151907
return found;
1908+
1909+
free_ies:
1910+
ies = (void *)rcu_dereference(tmp->pub.beacon_ies);
1911+
if (ies)
1912+
kfree_rcu(ies, rcu_head);
1913+
ies = (void *)rcu_dereference(tmp->pub.proberesp_ies);
1914+
if (ies)
1915+
kfree_rcu(ies, rcu_head);
1916+
1917+
return NULL;
19161918
}
19171919

19181920
struct cfg80211_internal_bss *

0 commit comments

Comments
 (0)