cfg80211: fix regulatory NULL dereference
Johannes Berg [Mon, 21 Nov 2011 09:44:00 +0000 (10:44 +0100)]
commit de3584bd62d87b4c250129fbc46ca52c80330add upstream.

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

net/wireless/reg.c

index 1658eff..1731e4b 100644 (file)
@@ -2026,6 +2026,10 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
        }
 
        request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
+       if (!request_wiphy) {
+               reg_set_request_processed();
+               return -ENODEV;
+       }
 
        if (!last_request->intersect) {
                int r;