Line 6191 (#1) allocates a memory chunk for input by kmalloc(). Line 6213 (#3) frees the input before the function returns while line 6199 (#2) forget to free it, which will lead to a memory leak. This bug influences all stable versions from 5.15.1 to 5.15.7. We should kfree() input in line 6199 (#2). 6186 static int rtw_mp_QueryDrv(struct net_device *dev, 6187 struct iw_request_info *info, 6188 union iwreq_data *wrqu, char *extra) 6189 { 6191 char *input = kmalloc(wrqu->data.length, GFP_KERNEL); // #1: kmalloc space 6195 if (!input) 6196 return -ENOMEM; 6198 if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) 6199 return -EFAULT; // #2: missing kfree 6213 kfree(input); // #3: kfree space 6214 return 0; 6215 } Signed-off-by: Jianglei Nie <niejianglei2021@xxxxxxx> --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c index 906a57eae1af..edc660f15436 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -6195,8 +6195,11 @@ static int rtw_mp_QueryDrv(struct net_device *dev, if (!input) return -ENOMEM; - if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) - return -EFAULT; + if (copy_from_user(input, wrqu->data.pointer, wrqu->data.length)) { + kfree(input); + return -EFAULT; + } + DBG_88E("%s:iwpriv in =%s\n", __func__, input); qAutoLoad = strncmp(input, "autoload", 8); /* strncmp true is 0 */ -- 2.25.1