From: Arik Nemtsov <arik@wizery.com>
Date: Thu, 4 Dec 2014 10:22:16 +0000 (+0200)
Subject: cfg80211: avoid mem leak on driver hint set
X-Git-Tag: v3.12.37~97
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd16b23e0c1353078e7303c4f0ceaaa30079b6c0;p=thirdparty%2Fkernel%2Fstable.git

cfg80211: avoid mem leak on driver hint set

commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.

In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

[js: backport to 3.12]

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index de06d5d1287f9..8eedb1507ccce 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1432,7 +1432,7 @@ static enum reg_request_treatment
 __regulatory_hint(struct wiphy *wiphy,
 		  struct regulatory_request *pending_request)
 {
-	const struct ieee80211_regdomain *regd;
+	const struct ieee80211_regdomain *regd, *tmp;
 	bool intersect = false;
 	enum reg_request_treatment treatment;
 	struct regulatory_request *lr;
@@ -1448,7 +1448,9 @@ __regulatory_hint(struct wiphy *wiphy,
 				kfree(pending_request);
 				return PTR_ERR(regd);
 			}
+			tmp = get_wiphy_regdom(wiphy);
 			rcu_assign_pointer(wiphy->regd, regd);
+			rcu_free_regdom(tmp);
 		}
 		intersect = true;
 		break;
@@ -1468,7 +1470,9 @@ __regulatory_hint(struct wiphy *wiphy,
 				return REG_REQ_IGNORE;
 			}
 			treatment = REG_REQ_ALREADY_SET;
+			tmp = get_wiphy_regdom(wiphy);
 			rcu_assign_pointer(wiphy->regd, regd);
+			rcu_free_regdom(tmp);
 			goto new_request;
 		}
 		kfree(pending_request);