cfg80211: fix regulatory NULL dereference

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index bc1ec2c..186b7f2 100644 (file)
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2035,6 +2035,10 @@ static int __set_regdom(const struct ieee80211_regdomain *rd)
        }
 
        request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
+       if (!request_wiphy) {
+               reg_set_request_processed();
+               return -ENODEV;
+       }
 
        if (!last_request->intersect) {
                int r;