Unverified Commit 8cf05d37 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!15828 mt76: fix use-after-free by removing a non-RCU wcid pointer 

Merge Pull Request from: @ci-robot 
 
PR sync from: Yi Yang <yiyang13@huawei.com>
https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/TEDX2PV2G54WXM4GAMVCJ7MBZZYYFJIR/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBP450 
 
Link:https://gitee.com/openeuler/kernel/pulls/15828

 

Reviewed-by: default avatarLi Nan <linan122@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarLi Nan <linan122@huawei.com>
parents 0df58f55 091fb8b8

drivers/net/wireless/mediatek/mt76/mac80211.c

+1 −1
Original line number Diff line number Diff line
@@ -987,7 +987,7 @@ mt76_sta_add(struct mt76_dev *dev, struct ieee80211_vif *vif, 
			continue;



		mtxq = (struct mt76_txq *)sta->txq[i]->drv_priv;

		mtxq->wcid = wcid;

		mtxq->wcid = wcid->idx;

	}



	ewma_signal_init(&wcid->rssi);

drivers/net/wireless/mediatek/mt76/mt76.h

+1 −1
Original line number Diff line number Diff line
@@ -226,7 +226,7 @@ struct mt76_wcid { 
};



struct mt76_txq {

	struct mt76_wcid *wcid;

	u16 wcid;



	u16 agg_ssn;

	bool send_bar;

drivers/net/wireless/mediatek/mt76/mt7603/main.c

+1 −1
Original line number Diff line number Diff line
@@ -74,7 +74,7 @@ mt7603_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif) 
	mt7603_wtbl_init(dev, idx, mvif->idx, bc_addr);



	mtxq = (struct mt76_txq *)vif->txq->drv_priv;

	mtxq->wcid = &mvif->sta.wcid;

	mtxq->wcid = idx;

	rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid);



out:

drivers/net/wireless/mediatek/mt76/mt7615/main.c

+1 −1
Original line number Diff line number Diff line
@@ -204,7 +204,7 @@ static int mt7615_add_interface(struct ieee80211_hw *hw, 
	rcu_assign_pointer(dev->mt76.wcid[idx], &mvif->sta.wcid);

	if (vif->txq) {

		mtxq = (struct mt76_txq *)vif->txq->drv_priv;

		mtxq->wcid = &mvif->sta.wcid;

		mtxq->wcid = idx;

	}



	ret = mt7615_mcu_add_dev_info(dev, vif, true);

drivers/net/wireless/mediatek/mt76/mt76x02_util.c

+3 −1
Original line number Diff line number Diff line
@@ -293,7 +293,8 @@ mt76x02_vif_init(struct mt76x02_dev *dev, struct ieee80211_vif *vif, 
	mvif->group_wcid.idx = MT_VIF_WCID(idx);

	mvif->group_wcid.hw_key_idx = -1;

	mtxq = (struct mt76_txq *)vif->txq->drv_priv;

	mtxq->wcid = &mvif->group_wcid;

	rcu_assign_pointer(dev->mt76.wcid[MT_VIF_WCID(idx)], &mvif->group_wcid);

	mtxq->wcid = MT_VIF_WCID(idx);

}



int
@@ -346,6 +347,7 @@ void mt76x02_remove_interface(struct ieee80211_hw *hw, 
	struct mt76x02_vif *mvif = (struct mt76x02_vif *)vif->drv_priv;



	dev->mphy.vif_mask &= ~BIT(mvif->idx);

	rcu_assign_pointer(dev->mt76.wcid[mvif->group_wcid.idx], NULL);

}

EXPORT_SYMBOL_GPL(mt76x02_remove_interface);