The commit beee24695157 ("cfg80211: Save the regulatory domain when
setting custom regulatory") forgets to free the newly allocated regd
object.
Fix this by freeing the regd object in the error handling code and
deletion function - mac80211_hwsim_del_radio.
Reported-by: syzbot+1638e7c770eef6b6c0d0@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: beee24695157 ("cfg80211: Save the regulatory domain when setting custom regulatory")
Signed-off-by: Dongliang Mu <mudongliangabcd@xxxxxxxxx>
---
drivers/net/wireless/mac80211_hwsim.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index ffa894f7312a..20b870af6356 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3404,6 +3404,8 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
debugfs_remove_recursive(data->debugfs);
ieee80211_unregister_hw(data->hw);
failed_hw:
+ if (param->regd)
+ kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
device_release_driver(data->dev);
failed_bind:
device_unregister(data->dev);
@@ -3454,6 +3456,8 @@ static void mac80211_hwsim_del_radio(struct mac80211_hwsim_data *data,
{
hwsim_mcast_del_radio(data->idx, hwname, info);
debugfs_remove_recursive(data->debugfs);
+ if (data->regd)
+ kfree_rcu(get_wiphy_regdom(data->hw->wiphy));
ieee80211_unregister_hw(data->hw);
device_release_driver(data->dev);
device_unregister(data->dev);
--
2.25.1
