aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2015-12-11 03:06:25 -0500
committerEmmanuel Grumbach <emmanuel.grumbach@intel.com>2015-12-13 06:38:26 -0500
commit4585436091cd812b1165aab71bd4847ea1cb08ec (patch)
treecf984f2e986f46770bacdf22dea4fe711f0298fd
parent628a2918afe42fae2f90749ad3721853fd06b262 (diff)
iwlwifi: mvm: protect RCU dereference in iwl_mvm_get_key_sta_id
Properly protect the RCU dereference in iwl_mvm_get_key_sta_id() when coming from iwl_mvm_update_tkip_key() which cannot hold the mvm->mutex by moving the call into the RCU critical section. Modify the check to use rcu_dereference_check() to permit this. Fixes: 9513c5e18a0d ("iwlwifi: mvm: Avoid dereferencing sta if it was already flushed") Reported-by: Laura Abbott <labbott@redhat.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
-rw-r--r--drivers/net/wireless/iwlwifi/mvm/sta.c15
1 files changed, 9 insertions, 6 deletions
diff --git a/drivers/net/wireless/iwlwifi/mvm/sta.c b/drivers/net/wireless/iwlwifi/mvm/sta.c
index 354acbde088e..2b976b110207 100644
--- a/drivers/net/wireless/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/iwlwifi/mvm/sta.c
@@ -1222,8 +1222,8 @@ static u8 iwl_mvm_get_key_sta_id(struct iwl_mvm *mvm,
1222 mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) { 1222 mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) {
1223 u8 sta_id = mvmvif->ap_sta_id; 1223 u8 sta_id = mvmvif->ap_sta_id;
1224 1224
1225 sta = rcu_dereference_protected(mvm->fw_id_to_mac_id[sta_id], 1225 sta = rcu_dereference_check(mvm->fw_id_to_mac_id[sta_id],
1226 lockdep_is_held(&mvm->mutex)); 1226 lockdep_is_held(&mvm->mutex));
1227 /* 1227 /*
1228 * It is possible that the 'sta' parameter is NULL, 1228 * It is possible that the 'sta' parameter is NULL,
1229 * for example when a GTK is removed - the sta_id will then 1229 * for example when a GTK is removed - the sta_id will then
@@ -1590,14 +1590,15 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm,
1590 u16 *phase1key) 1590 u16 *phase1key)
1591{ 1591{
1592 struct iwl_mvm_sta *mvm_sta; 1592 struct iwl_mvm_sta *mvm_sta;
1593 u8 sta_id = iwl_mvm_get_key_sta_id(mvm, vif, sta); 1593 u8 sta_id;
1594 bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE); 1594 bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE);
1595 1595
1596 if (WARN_ON_ONCE(sta_id == IWL_MVM_STATION_COUNT))
1597 return;
1598
1599 rcu_read_lock(); 1596 rcu_read_lock();
1600 1597
1598 sta_id = iwl_mvm_get_key_sta_id(mvm, vif, sta);
1599 if (WARN_ON_ONCE(sta_id == IWL_MVM_STATION_COUNT))
1600 goto unlock;
1601
1601 if (!sta) { 1602 if (!sta) {
1602 sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]); 1603 sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]);
1603 if (WARN_ON(IS_ERR_OR_NULL(sta))) { 1604 if (WARN_ON(IS_ERR_OR_NULL(sta))) {
@@ -1609,6 +1610,8 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm,
1609 mvm_sta = iwl_mvm_sta_from_mac80211(sta); 1610 mvm_sta = iwl_mvm_sta_from_mac80211(sta);
1610 iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast, 1611 iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast,
1611 iv32, phase1key, CMD_ASYNC, keyconf->hw_key_idx); 1612 iv32, phase1key, CMD_ASYNC, keyconf->hw_key_idx);
1613
1614 unlock:
1612 rcu_read_unlock(); 1615 rcu_read_unlock();
1613} 1616}
1614 1617