From 7097fa92cfdc1432c390d81611d283464e9aff57 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 9 Jan 2013 12:01:38 +0100 Subject: [PATCH] regulatory: fix restore_regulatory_settings My commit 6d6fb6437bc9a5fd933075e0033714e8c4c6e3b9 ("regulatory: pass new regdomain to reset function") broke the restore_regulatory_settings() function due to a logic change. Consider this change: - reset_regdomains(true); - cfg80211_regdomain = cfg80211_world_regdom; + reset_regdomains(true, cfg80211_world_regdom); This looks innocent enough, until you realise that the called function (reset_regdomains) also resets the cfg80211_world_regdom pointer, so that the old version of the code would use the new object it pointed to and the new version of the code uses the old object. This lead to a double-free of this object. Since reset_regdomains() sets it to &world_regdom, use that directly. Reported-by: Sujith Manoharan Tested-by: Sujith Manoharan Reported-by: Bob Copeland Reported-by: Emmanuel Grumbach Signed-off-by: Johannes Berg --- net/wireless/reg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 2193f62bb8aef..8c114e8a91355 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -1848,7 +1848,7 @@ static void restore_regulatory_settings(bool reset_user) mutex_lock(&cfg80211_mutex); mutex_lock(®_mutex); - reset_regdomains(true, cfg80211_world_regdom); + reset_regdomains(true, &world_regdom); restore_alpha2(alpha2, reset_user); /* -- 2.39.5