mac80211: fix possible sta leak [Linux 4.19.70]

This Linux kernel change "mac80211: fix possible sta leak" is included in the Linux 4.19.70 release. This change is authored by Johannes Berg <johannes.berg [at]> on Thu Aug 1 09:30:33 2019 +0200. The commit for this change in Linux stable tree is 58f91aa (patch) which is from upstream commit 5fd2f91. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream 5fd2f91.

mac80211: fix possible sta leak

commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream.

If TDLS station addition is rejected, the sta memory is leaked.
Avoid this by moving the check before the allocation.

Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
Signed-off-by: Johannes Berg <>
Signed-off-by: Greg Kroah-Hartman <>

There are 9 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 net/mac80211/cfg.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 40c5102..a48e83b 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1471,6 +1471,11 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
    if (is_multicast_ether_addr(mac))
        return -EINVAL;

+   if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) &&
+       sdata->vif.type == NL80211_IFTYPE_STATION &&
+       !sdata->u.mgd.associated)
+       return -EINVAL;
    sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
    if (!sta)
        return -ENOMEM;
@@ -1478,10 +1483,6 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
    if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
        sta->sta.tdls = true;

-   if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
-       !sdata->u.mgd.associated)
-       return -EINVAL;
    err = sta_apply_parameters(local, sta, params);
    if (err) {
        sta_info_free(local, sta);

Leave a Reply

Your email address will not be published. Required fields are marked *