From patchwork Mon Feb  4 21:33:44 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: cfg80211: Fix memory leak
Date: Mon, 04 Feb 2013 11:33:44 -0000
From: Larry Finger <Larry.Finger@lwfinger.net>
X-Patchwork-Id: 218074
Message-Id: <1360013624-4973-1-git-send-email-Larry.Finger@lwfinger.net>
To: linville@tuxdriver.com, johannes@sipsolutions.net
Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
 Larry Finger <Larry.Finger@lwfinger.net>

From: Johannes Berg <johannes@sipsolutions.net>

When a driver requests a specific regulatory domain after cfg80211 already
has one, a struct ieee80211_regdomain is leaked.

Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>

---
Johannes,

I added a From: for you as the content of this patch is yours.

Larry
---

 net/wireless/reg.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index de02d63..558f524 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2189,10 +2189,14 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
 		 * However if a driver requested this specific regulatory
 		 * domain we keep it for its private use
 		 */
-		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER)
+		if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
+			const struct ieee80211_regdomain *tmp =
+						get_wiphy_regdom(request_wiphy);
 			rcu_assign_pointer(request_wiphy->regd, rd);
-		else
+			rcu_free_regdom(tmp);
+		} else {
 			kfree(rd);
+		}
 
 		rd = NULL;