staging: wfx: fix RCU usage between hif_join() and ieee80211_bss_get_ie()

Access to result of ieee80211_bss_get_ie() is protected by RCU. In other
hand, function hif_join() can sleep and cannot be called with RCU
locked.

Provide a copy of "ssidie" to hif_join() to solve this behavior.

Fixes: 9ced9b593741 ("staging: wfx: simplify hif_join()")
Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
Link: https://lore.kernel.org/r/20200310101356.182818-6-Jerome.Pouiller@silabs.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/wfx/hif_tx.c b/drivers/staging/wfx/hif_tx.c
index 7a56e45bcdaaae35b78755f578fdd999848c9030..77bca43aca4280692fc4f499c0e4d835b07f9cc1 100644 (file)
--- a/drivers/staging/wfx/hif_tx.c
+++ b/drivers/staging/wfx/hif_tx.c
@@ -290,7 +290,7 @@ int hif_stop_scan(struct wfx_vif *wvif)
 }
 
 int hif_join(struct wfx_vif *wvif, const struct ieee80211_bss_conf *conf,
-            const struct ieee80211_channel *channel, const u8 *ssidie)
+            struct ieee80211_channel *channel, const u8 *ssid, int ssidlen)
 {
        int ret;
        struct hif_msg *hif;
@@ -308,9 +308,9 @@ int hif_join(struct wfx_vif *wvif, const struct ieee80211_bss_conf *conf,
        body->basic_rate_set =
                cpu_to_le32(wfx_rate_mask_to_hw(wvif->wdev, conf->basic_rates));
        memcpy(body->bssid, conf->bssid, sizeof(body->bssid));
-       if (!conf->ibss_joined && ssidie) {
-               body->ssid_length = cpu_to_le32(ssidie[1]);
-               memcpy(body->ssid, &ssidie[2], ssidie[1]);
+       if (!conf->ibss_joined && ssid) {
+               body->ssid_length = cpu_to_le32(ssidlen);
+               memcpy(body->ssid, ssid, ssidlen);
        }
        wfx_fill_header(hif, wvif->id, HIF_REQ_ID_JOIN, sizeof(*body));
        ret = wfx_cmd_send(wvif->wdev, hif, NULL, 0, false);

diff --git a/drivers/staging/wfx/hif_tx.h b/drivers/staging/wfx/hif_tx.h
index 20977e461718bc7aef5c4fa96702055e20ad9d90..f8520a14c14cdeae03dbb9334567df7ad40700ac 100644 (file)
--- a/drivers/staging/wfx/hif_tx.h
+++ b/drivers/staging/wfx/hif_tx.h
@@ -46,7 +46,7 @@ int hif_scan(struct wfx_vif *wvif, struct cfg80211_scan_request *req80211,
             int chan_start, int chan_num);
 int hif_stop_scan(struct wfx_vif *wvif);
 int hif_join(struct wfx_vif *wvif, const struct ieee80211_bss_conf *conf,
-            const struct ieee80211_channel *channel, const u8 *ssidie);
+            struct ieee80211_channel *channel, const u8 *ssid, int ssidlen);
 int hif_set_pm(struct wfx_vif *wvif, bool ps, int dynamic_ps_timeout);
 int hif_set_bss_params(struct wfx_vif *wvif,
                       const struct hif_req_set_bss_params *arg);

diff --git a/drivers/staging/wfx/sta.c b/drivers/staging/wfx/sta.c
index ed16475c207ca4cd698eee98eb909087ebdf79f3..af4f4bbd057257fa4eba60cc42c65d91fcb4bd06 100644 (file)
--- a/drivers/staging/wfx/sta.c
+++ b/drivers/staging/wfx/sta.c
@@ -491,9 +491,11 @@ static void wfx_set_mfp(struct wfx_vif *wvif,
 static void wfx_do_join(struct wfx_vif *wvif)
 {
        int ret;
-       const u8 *ssidie;
        struct ieee80211_bss_conf *conf = &wvif->vif->bss_conf;
        struct cfg80211_bss *bss = NULL;
+       u8 ssid[IEEE80211_MAX_SSID_LEN];
+       const u8 *ssidie = NULL;
+       int ssidlen = 0;
 
        wfx_tx_lock_flush(wvif->wdev);
 
@@ -514,11 +516,14 @@ static void wfx_do_join(struct wfx_vif *wvif)
        if (!wvif->beacon_int)
                wvif->beacon_int = 1;
 
-       rcu_read_lock();
+       rcu_read_lock(); // protect ssidie
        if (!conf->ibss_joined)
                ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
-       else
-               ssidie = NULL;
+       if (ssidie) {
+               ssidlen = ssidie[1];
+               memcpy(ssid, &ssidie[2], ssidie[1]);
+       }
+       rcu_read_unlock();
 
        wfx_tx_flush(wvif->wdev);
 
@@ -527,10 +532,8 @@ static void wfx_do_join(struct wfx_vif *wvif)
 
        wfx_set_mfp(wvif, bss);
 
-       /* Perform actual join */
        wvif->wdev->tx_burst_idx = -1;
-       ret = hif_join(wvif, conf, wvif->channel, ssidie);
-       rcu_read_unlock();
+       ret = hif_join(wvif, conf, wvif->channel, ssid, ssidlen);
        if (ret) {
                ieee80211_connection_loss(wvif->vif);
                wvif->join_complete_status = -1;