2013-02-04 21:34:14

by Larry Finger

[permalink] [raw]
Subject: [PATCH] cfg80211: Fix memory leak

From: Johannes Berg <[email protected]>

When a driver requests a specific regulatory domain after cfg80211 already
has one, a struct ieee80211_regdomain is leaked.

Reported-by: Larry Finger <[email protected]>
Tested-by: Larry Finger <[email protected]>
Signed-off-by: Larry Finger <[email protected]>
---

Johannes,

I added a From: for you as the content of this patch is yours.

Larry
---

net/wireless/reg.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index de02d63..558f524 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2189,10 +2189,14 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
* However if a driver requested this specific regulatory
* domain we keep it for its private use
*/
- if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER)
+ if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
+ const struct ieee80211_regdomain *tmp =
+ get_wiphy_regdom(request_wiphy);
rcu_assign_pointer(request_wiphy->regd, rd);
- else
+ rcu_free_regdom(tmp);
+ } else {
kfree(rd);
+ }

rd = NULL;

--
1.8.1



2013-02-05 10:05:47

by Johannes Berg

[permalink] [raw]
Subject: Re: [PATCH] cfg80211: Fix memory leak

On Mon, 2013-02-04 at 15:33 -0600, Larry Finger wrote:
> From: Johannes Berg <[email protected]>
>
> When a driver requests a specific regulatory domain after cfg80211 already
> has one, a struct ieee80211_regdomain is leaked.

Thanks Larry!

> Johannes,
>
> I added a From: for you as the content of this patch is yours.

I changed it back, it's really your patch, I only suggested a bit of the
code :-)

> --- a/net/wireless/reg.c
> +++ b/net/wireless/reg.c
> @@ -2189,10 +2189,14 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
> * However if a driver requested this specific regulatory
> * domain we keep it for its private use
> */
> - if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER)
> + if (lr->initiator == NL80211_REGDOM_SET_BY_DRIVER) {
> + const struct ieee80211_regdomain *tmp =
> + get_wiphy_regdom(request_wiphy);
> rcu_assign_pointer(request_wiphy->regd, rd);
> - else
> + rcu_free_regdom(tmp);

Luis, when you get back can you please audit the other places? I'm not
convinced that there aren't more places that need to free the regdom,
but I don't really want to dig into the code right now.

johannes