commit
a042994dd377d86bff9446ee76151ceb6267c9ba upstream.
There is a theoretical race that if hit will trigger
a crash. The race is between when we issue the first
regulatory hint, regulatory_hint_core(), gets processed
by the workqueue and between when the first device
gets registered to the wireless core. This is not easy
to reproduce but it was easy to do so through the
regulatory simulator I have been working on. This
is a port of the fix I implemented there [1].
[1] https://github.com/mcgrof/regsim/commit/
a246ccf81f059cb662eee288aa13100f631e4cc8
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
#define REG_DBG_PRINT(args...)
#endif
#define REG_DBG_PRINT(args...)
#endif
+static struct regulatory_request core_request_world = {
+ .initiator = NL80211_REGDOM_SET_BY_CORE,
+ .alpha2[0] = '0',
+ .alpha2[1] = '0',
+ .intersect = false,
+ .processed = true,
+ .country_ie_env = ENVIRON_ANY,
+};
+
/* Receipt of information from last regulatory request */
/* Receipt of information from last regulatory request */
-static struct regulatory_request *last_request;
+static struct regulatory_request *last_request = &core_request_world;
/* To trigger userspace events */
static struct platform_device *reg_pdev;
/* To trigger userspace events */
static struct platform_device *reg_pdev;
module_param(ieee80211_regdom, charp, 0444);
MODULE_PARM_DESC(ieee80211_regdom, "IEEE 802.11 regulatory domain code");
module_param(ieee80211_regdom, charp, 0444);
MODULE_PARM_DESC(ieee80211_regdom, "IEEE 802.11 regulatory domain code");
-static void reset_regdomains(void)
+static void reset_regdomains(bool full_reset)
{
/* avoid freeing static information or freeing something twice */
if (cfg80211_regdomain == cfg80211_world_regdom)
{
/* avoid freeing static information or freeing something twice */
if (cfg80211_regdomain == cfg80211_world_regdom)
cfg80211_world_regdom = &world_regdom;
cfg80211_regdomain = NULL;
cfg80211_world_regdom = &world_regdom;
cfg80211_regdomain = NULL;
+
+ if (!full_reset)
+ return;
+
+ if (last_request != &core_request_world)
+ kfree(last_request);
+ last_request = &core_request_world;
+ reset_regdomains(false);
cfg80211_world_regdom = rd;
cfg80211_regdomain = rd;
cfg80211_world_regdom = rd;
cfg80211_regdomain = rd;
+ if (last_request != &core_request_world)
+ kfree(last_request);
last_request = pending_request;
last_request->intersect = intersect;
last_request = pending_request;
last_request->intersect = intersect;
{
struct regulatory_request *request;
{
struct regulatory_request *request;
- kfree(last_request);
- last_request = NULL;
-
request = kzalloc(sizeof(struct regulatory_request),
GFP_KERNEL);
if (!request)
request = kzalloc(sizeof(struct regulatory_request),
GFP_KERNEL);
if (!request)
mutex_lock(&cfg80211_mutex);
mutex_lock(®_mutex);
mutex_lock(&cfg80211_mutex);
mutex_lock(®_mutex);
+ reset_regdomains(true);
restore_alpha2(alpha2, reset_user);
/*
restore_alpha2(alpha2, reset_user);
/*
int r;
if (last_request->initiator != NL80211_REGDOM_SET_BY_DRIVER) {
int r;
if (last_request->initiator != NL80211_REGDOM_SET_BY_DRIVER) {
+ reset_regdomains(false);
cfg80211_regdomain = rd;
return 0;
}
cfg80211_regdomain = rd;
return 0;
}
+ reset_regdomains(false);
cfg80211_regdomain = rd;
return 0;
}
cfg80211_regdomain = rd;
return 0;
}
+ reset_regdomains(false);
cfg80211_regdomain = intersected_rd;
return 0;
cfg80211_regdomain = intersected_rd;
return 0;
+ reset_regdomains(false);
cfg80211_regdomain = intersected_rd;
return 0;
cfg80211_regdomain = intersected_rd;
return 0;
mutex_lock(&cfg80211_mutex);
mutex_lock(®_mutex);
mutex_lock(&cfg80211_mutex);
mutex_lock(®_mutex);
- reset_regdomains();
-
- kfree(last_request);
+ reset_regdomains(true);
dev_set_uevent_suppress(®_pdev->dev, true);
platform_device_unregister(reg_pdev);
dev_set_uevent_suppress(®_pdev->dev, true);
platform_device_unregister(reg_pdev);