From: Johannes Berg johannes.berg@intel.com
commit 010bfbe768f7ecc876ffba92db30432de4997e2a upstream.
If we overflow the maximum number of BSS entries and free the new entry, drop it from any hidden_list that it may have been added to in the code above or in cfg80211_combine_bsses().
Reported-by: Dan Carpenter dan.carpenter@oracle.com Link: https://lore.kernel.org/r/20210416094212.5de7d1676ad7.Ied283b0bc5f504845e7d6... Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/wireless/scan.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -1753,6 +1753,8 @@ cfg80211_bss_update(struct cfg80211_regi
if (rdev->bss_entries >= bss_entries_limit && !cfg80211_bss_expire_oldest(rdev)) { + if (!list_empty(&new->hidden_list)) + list_del(&new->hidden_list); kfree(new); goto drop; }