From: Johannes Berg <johannes.berg@intel.com>
Date: Mon, 29 Jan 2024 14:53:48 +0000 (+0100)
Subject: wifi: mac80211: fix RCU use in TDLS fast-xmit
X-Git-Tag: v6.6.17~82
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fc3432ae8232ff4025e7c55012dd88db0e3d18eb;p=platform%2Fkernel%2Flinux-rpi.git

wifi: mac80211: fix RCU use in TDLS fast-xmit

[ Upstream commit 9480adfe4e0f0319b9da04b44e4eebd5ad07e0cd ]

This looks up the link under RCU protection, but isn't
guaranteed to actually have protection. Fix that.

Fixes: 8cc07265b691 ("wifi: mac80211: handle TDLS data frames with MLO")
Link: https://msgid.link/20240129155348.8a9c0b1e1d89.I553f96ce953bb41b0b877d592056164dec20d01c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index d45d4be..5481acb 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3086,10 +3086,11 @@ void ieee80211_check_fast_xmit(struct sta_info *sta)
 			/* DA SA BSSID */
 			build.da_offs = offsetof(struct ieee80211_hdr, addr1);
 			build.sa_offs = offsetof(struct ieee80211_hdr, addr2);
+			rcu_read_lock();
 			link = rcu_dereference(sdata->link[tdls_link_id]);
-			if (WARN_ON_ONCE(!link))
-				break;
-			memcpy(hdr->addr3, link->u.mgd.bssid, ETH_ALEN);
+			if (!WARN_ON_ONCE(!link))
+				memcpy(hdr->addr3, link->u.mgd.bssid, ETH_ALEN);
+			rcu_read_unlock();
 			build.hdr_len = 24;
 			break;
 		}