cfg80211: fix race in giwrate

cfg80211_wext_giwrate doesn't lock the wdev, so it
cannot access current_bss race-free. Also, there's
little point in trying to ask the driver for an AP
that it never told us about, so avoid that case.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 8 insertions, 5 deletions

diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 9d101d566bb1..5088d89a30fc 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -1127,7 +1127,7 @@ int cfg80211_wext_giwrate(struct net_device *dev,
         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
         /* we are under RTNL - globally locked - so can use a static struct */
         static struct station_info sinfo;
-        u8 *addr;
+        u8 addr[ETH_ALEN];
         int err;
 
         if (wdev->iftype != NL80211_IFTYPE_STATION)
@@ -1136,12 +1136,15 @@ int cfg80211_wext_giwrate(struct net_device *dev,
         if (!rdev->ops->get_station)
                 return -EOPNOTSUPP;
 
+        err = 0;
+        wdev_lock(wdev);
         if (wdev->current_bss)
-                addr = wdev->current_bss->pub.bssid;
-        else if (wdev->wext.connect.bssid)
-                addr = wdev->wext.connect.bssid;
+                memcpy(addr, wdev->current_bss->pub.bssid, ETH_ALEN);
         else
-                return -EOPNOTSUPP;
+                err = -EOPNOTSUPP;
+        wdev_unlock(wdev);
+        if (err)
+                return err;
 
         err = rdev->ops->get_station(&rdev->wiphy, dev, addr, &sinfo);
         if (err)