| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Jul 2021 13:09:14 +0800
From: Dongliang Mu <mudongliangabcd@...il.com>
To: Johannes Berg <johannes@...solutions.net>,
Kalle Valo <kvalo@...eaurora.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Luca Coelho <luciano.coelho@...el.com>,
Ilan Peer <ilan.peer@...el.com>
Cc: Dongliang Mu <mudongliangabcd@...il.com>,
syzbot+1638e7c770eef6b6c0d0@...kaller.appspotmail.com,
Johannes Berg <johannes.berg@...el.com>,
linux-wireless@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [PATCH] cfg80211: free the object allocated in wiphy_apply_custom_regulatory
The commit beee24695157 ("cfg80211: Save the regulatory domain when
setting custom regulatory") forgets to free the newly allocated regd
object.
Fix this by freeing the regd object in the error handling code and
deletion function - mac80211_hwsim_del_radio.
Reported-by: syzbot+1638e7c770eef6b6c0d0@...kaller.appspotmail.com
Fixes: beee24695157 ("cfg80211: Save the regulatory domain when setting custom regulatory")
Signed-off-by: Dongliang Mu <mudongliangabcd@...il.com>
---
drivers/net/wireless/mac80211_hwsim.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index ffa894f7312a..20b870af6356 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3404,6 +3404,8 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
debugfs_remove_recursive(data->debugfs);
ieee80211_unregister_hw(data->hw);
failed_hw:
+ if (param->regd)
+ kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
device_release_driver(data->dev);
failed_bind:
device_unregister(data->dev);
@@ -3454,6 +3456,8 @@ static void mac80211_hwsim_del_radio(struct mac80211_hwsim_data *data,
{
hwsim_mcast_del_radio(data->idx, hwname, info);
debugfs_remove_recursive(data->debugfs);
+ if (data->regd)
+ kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
ieee80211_unregister_hw(data->hw);
device_release_driver(data->dev);
device_unregister(data->dev);
--
2.25.1
Powered by blists - more mailing lists