Line 6191 (#1) allocates a memory chunk for input by kmalloc().
Line 6213 (#3) frees the input before the function returns while
line 6199 (#2) forget to free it, which will lead to a memory leak.
This bug influences all stable versions from 5.15.1 to 5.15.7.
We should kfree() input in line 6199 (#2).
6186 static int rtw_mp_QueryDrv(struct net_device *dev,
6187 struct iw_request_info *info,
6188 union iwreq_data *wrqu, char *extra)
6189 {
6191 char *input = kmalloc(wrqu->data.length, GFP_KERNEL);
// #1: kmalloc space
6195 if (!input)
6196 return -ENOMEM;
6198 if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
6199 return -EFAULT; // #2: missing kfree
6213 kfree(input); // #3: kfree space
6214 return 0;
6215 }
Signed-off-by: Jianglei Nie <niejianglei2021@xxxxxxx>
---
drivers/staging/r8188eu/os_dep/ioctl_linux.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
index 906a57eae1af..edc660f15436 100644
--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
+++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
@@ -6195,8 +6195,11 @@ static int rtw_mp_QueryDrv(struct net_device *dev,
if (!input)
return -ENOMEM;
- if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length))
- return -EFAULT;
+ if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) {
+ kfree(input);
+ return -EFAULT;
+ }
+
DBG_88E("%s:iwpriv in =%s\n", __func__, input);
qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */
--
2.25.1
