Commit 51d62f2f authored by Ilan Peer's avatar Ilan Peer Committed by Johannes Berg
Browse files

cfg80211: Save the regulatory domain with a lock 



Saving the regulatory domain while setting custom regulatory domain
was done while accessing a RCU protected pointer but without any
protection.

Fix this by using RTNL while accessing the pointer.

Signed-off-by: default avatarIlan Peer <ilan.peer@intel.com>
Reported-by: default avatar <syzbot+27771d4abcd9b7a1f5d3@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+db4035751c56c0079282@syzkaller.appspotmail.com>
Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
Fixes: beee2469 ("cfg80211: Save the regulatory domain when setting custom regulatory")
Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20210105165657.613e9a876829.Ia38d27dbebea28bf9c56d70691d243186ede70e7@changeid


Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 70b6ff35

net/wireless/reg.c

+10 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 * Copyright 2008-2011	Luis R. Rodriguez <mcgrof@qca.qualcomm.com>

 * Copyright 2013-2014  Intel Mobile Communications GmbH

 * Copyright      2017  Intel Deutschland GmbH

 * Copyright (C) 2018 - 2019 Intel Corporation

 * Copyright (C) 2018 - 2021 Intel Corporation

 *

 * Permission to use, copy, modify, and/or distribute this software for any

 * purpose with or without fee is hereby granted, provided that the above
@@ -139,6 +139,11 @@ static const struct ieee80211_regdomain *get_cfg80211_regdom(void) 
	return rcu_dereference_rtnl(cfg80211_regdomain);

}



/*

 * Returns the regulatory domain associated with the wiphy.

 *

 * Requires either RTNL or RCU protection

 */

const struct ieee80211_regdomain *get_wiphy_regdom(struct wiphy *wiphy)

{

	return rcu_dereference_rtnl(wiphy->regd);
@@ -2571,9 +2576,13 @@ void wiphy_apply_custom_regulatory(struct wiphy *wiphy, 
	if (IS_ERR(new_regd))

		return;



	rtnl_lock();



	tmp = get_wiphy_regdom(wiphy);

	rcu_assign_pointer(wiphy->regd, new_regd);

	rcu_free_regdom(tmp);



	rtnl_unlock();

}

EXPORT_SYMBOL(wiphy_apply_custom_regulatory);