Commit 461c4c2b authored by Sara Sharon's avatar Sara Sharon Committed by Johannes Berg
Browse files

cfg80211: fix a bunch of RCU issues in multi-bssid code 



cfg80211_update_notlisted_nontrans() leaves the RCU critical session
too early, while still using nontrans_ssid which is RCU protected. In
addition, it performs a bunch of RCU pointer update operations such
as rcu_access_pointer and rcu_assign_pointer.

The caller, cfg80211_inform_bss_frame_data(), also accesses the RCU
pointer without holding the lock.

Just wrap all of this with bss_lock.

Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/20191004123706.15768-3-luca@coelho.fi


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 1399c59f

net/wireless/scan.c

+13 −10
Original line number Diff line number Diff line
@@ -1703,8 +1703,7 @@ cfg80211_parse_mbssid_frame_data(struct wiphy *wiphy, 
static void

cfg80211_update_notlisted_nontrans(struct wiphy *wiphy,

				   struct cfg80211_bss *nontrans_bss,

				   struct ieee80211_mgmt *mgmt, size_t len,

				   gfp_t gfp)

				   struct ieee80211_mgmt *mgmt, size_t len)

{

	u8 *ie, *new_ie, *pos;

	const u8 *nontrans_ssid, *trans_ssid, *mbssid;
@@ -1715,6 +1714,8 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, 
	const struct cfg80211_bss_ies *old;

	u8 cpy_len;



	lockdep_assert_held(&wiphy_to_rdev(wiphy)->bss_lock);



	ie = mgmt->u.probe_resp.variable;



	new_ie_len = ielen;
@@ -1731,23 +1732,22 @@ cfg80211_update_notlisted_nontrans(struct wiphy *wiphy, 
	if (!mbssid || mbssid < trans_ssid)

		return;

	new_ie_len -= mbssid[1];

	rcu_read_lock();



	nontrans_ssid = ieee80211_bss_get_ie(nontrans_bss, WLAN_EID_SSID);

	if (!nontrans_ssid) {

		rcu_read_unlock();

	if (!nontrans_ssid)

		return;

	}



	new_ie_len += nontrans_ssid[1];

	rcu_read_unlock();



	/* generate new ie for nontrans BSS

	 * 1. replace SSID with nontrans BSS' SSID

	 * 2. skip MBSSID IE

	 */

	new_ie = kzalloc(new_ie_len, gfp);

	new_ie = kzalloc(new_ie_len, GFP_ATOMIC);

	if (!new_ie)

		return;

	new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, gfp);



	new_ies = kzalloc(sizeof(*new_ies) + new_ie_len, GFP_ATOMIC);

	if (!new_ies)

		goto out_free;
@@ -1901,6 +1901,8 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 
	cfg80211_parse_mbssid_frame_data(wiphy, data, mgmt, len,

					 &non_tx_data, gfp);



	spin_lock_bh(&wiphy_to_rdev(wiphy)->bss_lock);



	/* check if the res has other nontransmitting bss which is not

	 * in MBSSID IE

	 */
@@ -1915,8 +1917,9 @@ cfg80211_inform_bss_frame_data(struct wiphy *wiphy, 
		ies2 = rcu_access_pointer(tmp_bss->ies);

		if (ies2->tsf < ies1->tsf)

			cfg80211_update_notlisted_nontrans(wiphy, tmp_bss,

							   mgmt, len, gfp);

							   mgmt, len);

	}

	spin_unlock_bh(&wiphy_to_rdev(wiphy)->bss_lock);



	return res;

}