mac80211: fix race in TKIP MIC test debugfs file

Accessing sdata->vif.bss_conf.bssid without any
protection here is racy, use u.mgd.associated
instead and lock the correct mutex for it.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 4b68ec770bdd..99ce871bfcf9 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -284,13 +284,16 @@ static ssize_t ieee80211_if_parse_tkip_mic_test(
         case NL80211_IFTYPE_STATION:
                 fc |= cpu_to_le16(IEEE80211_FCTL_TODS);
                 /* BSSID SA DA */
-                if (sdata->vif.bss_conf.bssid == NULL) {
+                mutex_lock(&sdata->u.mgd.mtx);
+                if (!sdata->u.mgd.associated) {
+                        mutex_unlock(&sdata->u.mgd.mtx);
                         dev_kfree_skb(skb);
                         return -ENOTCONN;
                 }
-                memcpy(hdr->addr1, sdata->vif.bss_conf.bssid, ETH_ALEN);
+                memcpy(hdr->addr1, sdata->u.mgd.associated->bssid, ETH_ALEN);
                 memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN);
                 memcpy(hdr->addr3, addr, ETH_ALEN);
+                mutex_unlock(&sdata->u.mgd.mtx);
                 break;
         default:
                 dev_kfree_skb(skb);