Re: [PATCH] staging: r8188eu: fix a memory leak in rtw_mp_pwrtrk()

Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 9 Dec 2021 08:56:08 +0100

On Thu, Dec 09, 2021 at 03:19:05PM +0800, Jianglei Nie wrote:
> Line 5961 (#1) allocates a memory chunk for input by kmalloc().
> Line 5966 (#2), line 5982 (#4) and line 5987 (#5) free the input
> before the function returns while line 5979 (#3) forget to free it,
> which will lead to a memory leak.
> 
> We should kfree() input in line 5979 (#3).
> 
> 5953 static int rtw_mp_pwrtrk(struct net_device *dev,
> 5954 			struct iw_request_info *info,
> 5955 			struct iw_point *wrqu, char *extra)
> 5956 {
> 5961 	char	*input = kmalloc(wrqu->length, GFP_KERNEL);
> 	// #1: kmalloc space
> 5963 	if (!input)
> 5964 		return -ENOMEM;
> 5965 	if (copy_from_user(input, wrqu->pointer, wrqu->length)) {
> 5966 		kfree(input); // #2: kfree space
> 5967 		return -EFAULT;
> 5968	}
> 
> 5973	if (strncmp(input, "stop", 4) == 0) {
> 5974		enable = 0;
> 5975		sprintf(extra, "mp tx power tracking stop");
> 5976	} else if (sscanf(input, "ther =%d", &thermal)) {
> 5977		ret = Hal_SetThermalMeter(padapter, (u8)thermal);
> 5978		if (ret == _FAIL)
> 5979			return -EPERM; // #3: missing kfree
> 5980		sprintf(extra, "mp tx power tracking start,
> 			target value =%d ok ", thermal);
> 5981	} else {
> 5982		kfree(input); // #4: kfree space
> 5983		return -EINVAL;
> 5984	}
> 
> 5987	kfree(input); // #5: kfree space
> 
> 5993	return 0;
> 5994 }
> 
> Signed-off-by: Jianglei Nie <niejianglei2021@xxxxxxx>
> ---
>  drivers/staging/r8188eu/os_dep/ioctl_linux.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> index 1fd375076001..8f9e0f12c51f 100644
> --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> @@ -5975,8 +5975,10 @@ static int rtw_mp_pwrtrk(struct net_device *dev,
>  			sprintf(extra, "mp tx power tracking stop");
>  		} else if (sscanf(input, "ther =%d", &thermal)) {
>  				ret = Hal_SetThermalMeter(padapter, (u8)thermal);
> -				if (ret == _FAIL)
> +				if (ret == _FAIL) {
> +					kfree(input);
>  					return -EPERM;
> +				}
>  				sprintf(extra, "mp tx power tracking start, target value =%d ok ", thermal);
>  		} else {
>  			kfree(input);

What kernel tree and version did you make this patch against?  I do not
even see this function in Linus's tree, nor in my staging-next
development branch.

confused,

greg k-h