Patchwork cfg80211: Fix memory leak

login
register
mail settings
Submitter Larry Finger
Date Feb. 4, 2013, 9:33 p.m.
Message ID <1360013624-4973-1-git-send-email-Larry.Finger@lwfinger.net>
Download mbox | patch
Permalink /patch/218074/
State Not Applicable
Delegated to: David Miller
Headers show

Comments

Larry Finger - Feb. 4, 2013, 9:33 p.m.
From: Johannes Berg <johannes@sipsolutions.net>

When a driver requests a specific regulatory domain after cfg80211 already
has one, a struct ieee80211_regdomain is leaked.

Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
---

Johannes,

I added a From: for you as the content of this patch is yours.

Larry
---

 net/wireless/reg.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
Johannes Berg - Feb. 5, 2013, 10:06 a.m.
On Mon, 2013-02-04 at 15:33 -0600, Larry Finger wrote:
> From: Johannes Berg <johannes@sipsolutions.net>
> 
> When a driver requests a specific regulatory domain after cfg80211 already
> has one, a struct ieee80211_regdomain is leaked.

Thanks Larry!

> Johannes,
> 
> I added a From: for you as the content of this patch is yours.

I changed it back, it's really your patch, I only suggested a bit of the
code :-)

> --- a/net/wireless/reg.c
> +++ b/net/wireless/reg.c
> @@ -2189,10 +2189,14 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
>  		 * However if a driver requested this specific regulatory
>  		 * domain we keep it for its private use
>  		 */
> -		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER)
> +		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
> +			const struct ieee80211_regdomain *tmp =
> +						get_wiphy_regdom(request_wiphy);
>  			rcu_assign_pointer(request_wiphy->regd, rd);
> -		else
> +			rcu_free_regdom(tmp);

Luis, when you get back can you please audit the other places? I'm not
convinced that there aren't more places that need to free the regdom,
but I don't really want to dig into the code right now.

johannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index de02d63..558f524 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2189,10 +2189,14 @@  static int __set_regdom(const struct ieee80211_regdomain *rd)
 		 * However if a driver requested this specific regulatory
 		 * domain we keep it for its private use
 		 */
-		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER)
+		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
+			const struct ieee80211_regdomain *tmp =
+						get_wiphy_regdom(request_wiphy);
 			rcu_assign_pointer(request_wiphy->regd, rd);
-		else
+			rcu_free_regdom(tmp);
+		} else {
 			kfree(rd);
+		}
 
 		rd = NULL;