cfg80211: avoid mem leak on driver hint set

commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.

In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

[js: backport to 3.12]

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index de06d5d..8eedb15 100644 (file)
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1432,7 +1432,7 @@ static enum reg_request_treatment
 __regulatory_hint(struct wiphy *wiphy,
                  struct regulatory_request *pending_request)
 {
-       const struct ieee80211_regdomain *regd;
+       const struct ieee80211_regdomain *regd, *tmp;
        bool intersect = false;
        enum reg_request_treatment treatment;
        struct regulatory_request *lr;
@@ -1448,7 +1448,9 @@ __regulatory_hint(struct wiphy *wiphy,
                                kfree(pending_request);
                                return PTR_ERR(regd);
                        }
+                       tmp = get_wiphy_regdom(wiphy);
                        rcu_assign_pointer(wiphy->regd, regd);
+                       rcu_free_regdom(tmp);
                }
                intersect = true;
                break;
@@ -1468,7 +1470,9 @@ __regulatory_hint(struct wiphy *wiphy,
                                return REG_REQ_IGNORE;
                        }
                        treatment = REG_REQ_ALREADY_SET;
+                       tmp = get_wiphy_regdom(wiphy);
                        rcu_assign_pointer(wiphy->regd, regd);
+                       rcu_free_regdom(tmp);
                        goto new_request;
                }
                kfree(pending_request);