Thread (12 messages) 12 messages, 3 authors, 2021-07-23

Re: [PATCH] cfg80211: free the object allocated in wiphy_apply_custom_regulatory

From: Dongliang Mu <hidden>
Date: 2021-07-23 09:26:02
Also in: lkml, netdev

On Fri, Jul 23, 2021 at 5:18 PM xiaoqiang zhao
[off-list ref] wrote:


在 2021/7/23 13:09, Dongliang Mu 写道:
quoted
The commit beee24695157 ("cfg80211: Save the regulatory domain when
setting custom regulatory") forgets to free the newly allocated regd
object.

Fix this by freeing the regd object in the error handling code and
deletion function - mac80211_hwsim_del_radio.

Reported-by: syzbot+1638e7c770eef6b6c0d0@syzkaller.appspotmail.com
Fixes: beee24695157 ("cfg80211: Save the regulatory domain when setting custom regulatory")
Signed-off-by: Dongliang Mu <redacted>
---
 drivers/net/wireless/mac80211_hwsim.c | 4 ++++
 1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index ffa894f7312a..20b870af6356 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3404,6 +3404,8 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
      debugfs_remove_recursive(data->debugfs);
      ieee80211_unregister_hw(data->hw);
 failed_hw:
+     if (param->regd)
+             kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
      device_release_driver(data->dev);
hw->wiphy->regd may be NULL if previous reg_copy_regd failed, so how about:
if (hw->wiphy->regd)
        rcu_free_regdom(get_wiphy_regdom(hw->wiphy))
Previously I would like to use this API(rcu_free_regdom), but it is
static and located in non-global header file - reg.h.
quoted
 failed_bind:
      device_unregister(data->dev);
@@ -3454,6 +3456,8 @@ static void mac80211_hwsim_del_radio(struct mac80211_hwsim_data *data,
 {
      hwsim_mcast_del_radio(data->idx, hwname, info);
      debugfs_remove_recursive(data->debugfs);
+     if (data->regd)
+             kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
this is not correct, because ieee80211_unregister_hw below will free
data->hw_wiphy->regd
Can you point out the concrete code releasing regd? Maybe the link to elixir.
quoted
      ieee80211_unregister_hw(data->hw);
      device_release_driver(data->dev);
      device_unregister(data->dev);
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help