diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2015-12-11 03:06:25 -0500 |
|---|---|---|
| committer | Emmanuel Grumbach <emmanuel.grumbach@intel.com> | 2015-12-13 06:38:26 -0500 |
| commit | 4585436091cd812b1165aab71bd4847ea1cb08ec (patch) | |
| tree | cf984f2e986f46770bacdf22dea4fe711f0298fd | |
| parent | 628a2918afe42fae2f90749ad3721853fd06b262 (diff) | |
iwlwifi: mvm: protect RCU dereference in iwl_mvm_get_key_sta_id
Properly protect the RCU dereference in iwl_mvm_get_key_sta_id() when
coming from iwl_mvm_update_tkip_key() which cannot hold the mvm->mutex
by moving the call into the RCU critical section.
Modify the check to use rcu_dereference_check() to permit this.
Fixes: 9513c5e18a0d ("iwlwifi: mvm: Avoid dereferencing sta if it was already flushed")
Reported-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
| -rw-r--r-- | drivers/net/wireless/iwlwifi/mvm/sta.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/drivers/net/wireless/iwlwifi/mvm/sta.c b/drivers/net/wireless/iwlwifi/mvm/sta.c index 354acbde088e..2b976b110207 100644 --- a/drivers/net/wireless/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/iwlwifi/mvm/sta.c | |||
| @@ -1222,8 +1222,8 @@ static u8 iwl_mvm_get_key_sta_id(struct iwl_mvm *mvm, | |||
| 1222 | mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) { | 1222 | mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) { |
| 1223 | u8 sta_id = mvmvif->ap_sta_id; | 1223 | u8 sta_id = mvmvif->ap_sta_id; |
| 1224 | 1224 | ||
| 1225 | sta = rcu_dereference_protected(mvm->fw_id_to_mac_id[sta_id], | 1225 | sta = rcu_dereference_check(mvm->fw_id_to_mac_id[sta_id], |
| 1226 | lockdep_is_held(&mvm->mutex)); | 1226 | lockdep_is_held(&mvm->mutex)); |
| 1227 | /* | 1227 | /* |
| 1228 | * It is possible that the 'sta' parameter is NULL, | 1228 | * It is possible that the 'sta' parameter is NULL, |
| 1229 | * for example when a GTK is removed - the sta_id will then | 1229 | * for example when a GTK is removed - the sta_id will then |
| @@ -1590,14 +1590,15 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm, | |||
| 1590 | u16 *phase1key) | 1590 | u16 *phase1key) |
| 1591 | { | 1591 | { |
| 1592 | struct iwl_mvm_sta *mvm_sta; | 1592 | struct iwl_mvm_sta *mvm_sta; |
| 1593 | u8 sta_id = iwl_mvm_get_key_sta_id(mvm, vif, sta); | 1593 | u8 sta_id; |
| 1594 | bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE); | 1594 | bool mcast = !(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE); |
| 1595 | 1595 | ||
| 1596 | if (WARN_ON_ONCE(sta_id == IWL_MVM_STATION_COUNT)) | ||
| 1597 | return; | ||
| 1598 | |||
| 1599 | rcu_read_lock(); | 1596 | rcu_read_lock(); |
| 1600 | 1597 | ||
| 1598 | sta_id = iwl_mvm_get_key_sta_id(mvm, vif, sta); | ||
| 1599 | if (WARN_ON_ONCE(sta_id == IWL_MVM_STATION_COUNT)) | ||
| 1600 | goto unlock; | ||
| 1601 | |||
| 1601 | if (!sta) { | 1602 | if (!sta) { |
| 1602 | sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]); | 1603 | sta = rcu_dereference(mvm->fw_id_to_mac_id[sta_id]); |
| 1603 | if (WARN_ON(IS_ERR_OR_NULL(sta))) { | 1604 | if (WARN_ON(IS_ERR_OR_NULL(sta))) { |
| @@ -1609,6 +1610,8 @@ void iwl_mvm_update_tkip_key(struct iwl_mvm *mvm, | |||
| 1609 | mvm_sta = iwl_mvm_sta_from_mac80211(sta); | 1610 | mvm_sta = iwl_mvm_sta_from_mac80211(sta); |
| 1610 | iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast, | 1611 | iwl_mvm_send_sta_key(mvm, mvm_sta, keyconf, mcast, |
| 1611 | iv32, phase1key, CMD_ASYNC, keyconf->hw_key_idx); | 1612 | iv32, phase1key, CMD_ASYNC, keyconf->hw_key_idx); |
| 1613 | |||
| 1614 | unlock: | ||
| 1612 | rcu_read_unlock(); | 1615 | rcu_read_unlock(); |
| 1613 | } | 1616 | } |
| 1614 | 1617 | ||