[PATCH] cfg80211: fix regulatory NULL dereference

[PATCH] cfg80211: fix regulatory NULL dereference

[Johannes Berg]

From: Johannes Berg <johannes.berg@intel.com>

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/wireless/reg.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/wireless/reg.c	2011-11-10 09:27:32.000000000 +0100
+++ b/net/wireless/reg.c	2011-11-21 10:41:57.000000000 +0100
@@ -2037,6 +2037,10 @@ static int __set_regdom(const struct iee
 	}
 
 	request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
+	if (!request_wiphy) {
+		reg_set_request_processed();
+		return -ENODEV;
+	}
 
 	if (!last_request->intersect) {
 		int r;

Re: [PATCH] cfg80211: fix regulatory NULL dereference

[Johannes Berg]

On Mon, 2011-11-21 at 10:44 +0100, Johannes Berg wrote:
> From: Johannes Berg <johannes.berg@intel.com>
> 
> By the time userspace returns with a response to
> the regulatory domain request, the wiphy causing
> the request might have gone away. If this is so,
> reject the update but mark the request as having
> been processed anyway.
> 
> Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Oops, Cc: stable@vger.kernel.org

johannes

Re: [PATCH] cfg80211: fix regulatory NULL dereference

[Luis R. Rodriguez]

On Mon, Nov 21, 2011 at 1:44 AM, Johannes Berg
<johannes@sipsolutions.net> wrote:
> From: Johannes Berg <johannes.berg@intel.com>
>
> By the time userspace returns with a response to
> the regulatory domain request, the wiphy causing
> the request might have gone away. If this is so,
> reject the update but mark the request as having
> been processed anyway.
>
> Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
> ---
>  net/wireless/reg.c |    4 ++++
>  1 file changed, 4 insertions(+)
>
> --- a/net/wireless/reg.c        2011-11-10 09:27:32.000000000 +0100
> +++ b/net/wireless/reg.c        2011-11-21 10:41:57.000000000 +0100
> @@ -2037,6 +2037,10 @@ static int __set_regdom(const struct iee
>        }
>
>        request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
> +       if (!request_wiphy) {
> +               reg_set_request_processed();
> +               return -ENODEV;
> +       }
>
>        if (!last_request->intersect) {
>                int r;

last_request is still populated with the driver request info though,
so you'd have to reset_regdomains() too to clear last_request as if
we're starting all over again. If you don't get to it, I'm working on
two fixes that cover this.

  Luis