[PATCH 3.16.y-ckt 133/216] cfg80211: avoid mem leak on driver hint set

[Luis Henriques]

3.16.7-ckt4 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arik Nemtsov <arik at wizery.com>

commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.

In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

Signed-off-by: Arik Nemtsov <arikx.nemtsov at intel.com>
Acked-by: Luis R. Rodriguez <mcgrof at suse.com>
Signed-off-by: Johannes Berg <johannes.berg at intel.com>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/wireless/reg.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 1afdf45db38f..ff7ffeb7947a 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1720,7 +1720,7 @@ static enum reg_request_treatment
 reg_process_hint_driver(struct wiphy *wiphy,
 			struct regulatory_request *driver_request)
 {
-	const struct ieee80211_regdomain *regd;
+	const struct ieee80211_regdomain *regd, *tmp;
 	enum reg_request_treatment treatment;
 
 	treatment = __reg_process_hint_driver(driver_request);
@@ -1740,7 +1740,10 @@ reg_process_hint_driver(struct wiphy *wiphy,
 			reg_free_request(driver_request);
 			return REG_REQ_IGNORE;
 		}
+
+		tmp = get_wiphy_regdom(wiphy);
 		rcu_assign_pointer(wiphy->regd, regd);
+		rcu_free_regdom(tmp);
 	}
 
 
-- 
2.1.4