cfg80211: call cfg80211_destroy_ifaces() with wiphy lock held

This is needed since it calls into the driver, which must have the
same context as if we got to destroy an interface through nl80211.
Fix this, and add a direct lockdep assertion so we don't see it
pop up only when the driver calls back to cfg80211.

Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver")
Reported-by: syzbot+4305e814f9b267131776@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20210128183454.d31df9cbd7ce.I1beb07c9492f0ade900e864a098c57041e7a7ebf@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/core.c b/net/wireless/core.c
index 200cd9f5fd5f0ff153d7e5b3a5b0862d2e154df3..18f9a5c214b59442cd45d3fa34ebcdbcd60216ba 100644 (file)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -334,6 +334,7 @@ void cfg80211_destroy_ifaces(struct cfg80211_registered_device *rdev)
        struct wireless_dev *wdev, *tmp;
 
        ASSERT_RTNL();
+       lockdep_assert_wiphy(&rdev->wiphy);
 
        list_for_each_entry_safe(wdev, tmp, &rdev->wiphy.wdev_list, list) {
                if (wdev->nl_owner_dead)
@@ -349,7 +350,9 @@ static void cfg80211_destroy_iface_wk(struct work_struct *work)
                            destroy_work);
 
        rtnl_lock();
+       wiphy_lock(&rdev->wiphy);
        cfg80211_destroy_ifaces(rdev);
+       wiphy_unlock(&rdev->wiphy);
        rtnl_unlock();
 }