3 files changed, 37 insertions, 10 deletions

diff --git a/net/wireless/core.h b/net/wireless/core.h
index d43daa236ef..0a592e4295f 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -90,7 +90,7 @@ struct cfg80211_internal_bss {
         struct rb_node rbn;
         unsigned long ts;
         struct kref ref;
-        bool hold;
+        bool hold, ies_allocated;
 
         /* must be last because of priv member */
         struct cfg80211_bss pub;
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 6327e1617ac..6c1993d9990 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2095,11 +2095,12 @@ int set_regdom(const struct ieee80211_regdomain *rd)
 /* Caller must hold cfg80211_mutex */
 void reg_device_remove(struct wiphy *wiphy)
 {
-        struct wiphy *request_wiphy;
+        struct wiphy *request_wiphy = NULL;
 
         assert_cfg80211_lock();
 
-        request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
+        if (last_request)
+                request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx);
 
         kfree(wiphy->regd);
         if (!last_request || !request_wiphy)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 2a00e362f5f..2ae65b39b52 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -58,6 +58,10 @@ static void bss_release(struct kref *ref)
         bss = container_of(ref, struct cfg80211_internal_bss, ref);
         if (bss->pub.free_priv)
                 bss->pub.free_priv(&bss->pub);
+
+        if (bss->ies_allocated)
+                kfree(bss->pub.information_elements);
+
         kfree(bss);
 }
 
@@ -360,19 +364,41 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
 
         found = rb_find_bss(dev, res);
 
-        if (found && overwrite) {
-                list_replace(&found->list, &res->list);
-                rb_replace_node(&found->rbn, &res->rbn,
-                                &dev->bss_tree);
-                kref_put(&found->ref, bss_release);
-                found = res;
-        } else if (found) {
+        if (found) {
                 kref_get(&found->ref);
                 found->pub.beacon_interval = res->pub.beacon_interval;
                 found->pub.tsf = res->pub.tsf;
                 found->pub.signal = res->pub.signal;
                 found->pub.capability = res->pub.capability;
                 found->ts = res->ts;
+
+                /* overwrite IEs */
+                if (overwrite) {
+                        size_t used = dev->wiphy.bss_priv_size + sizeof(*res);
+                        size_t ielen = res->pub.len_information_elements;
+
+                        if (ksize(found) >= used + ielen) {
+                                memcpy(found->pub.information_elements,
+                                       res->pub.information_elements, ielen);
+                                found->pub.len_information_elements = ielen;
+                        } else {
+                                u8 *ies = found->pub.information_elements;
+
+                                if (found->ies_allocated) {
+                                        if (ksize(ies) < ielen)
+                                                ies = krealloc(ies, ielen,
+                                                               GFP_ATOMIC);
+                                } else
+                                        ies = kmalloc(ielen, GFP_ATOMIC);
+
+                                if (ies) {
+                                        memcpy(ies, res->pub.information_elements, ielen);
+                                        found->ies_allocated = true;
+                                        found->pub.information_elements = ies;
+                                }
+                        }
+                }
+
                 kref_put(&res->ref, bss_release);
         } else {
                 /* this "consumes" the reference */