summaryrefslogtreecommitdiffstats
path: root/include/net/cfg80211.h
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2023-08-16 15:38:04 +0200
committerJohannes Berg <johannes.berg@intel.com>2023-09-11 16:43:35 +0200
commit37c20b2effe987b806c8de6d12978e4ffeff026f (patch)
tree128edc5ab795b720f25e34399b5c5415d98360b8 /include/net/cfg80211.h
parentwifi: iwlwifi: mvm: Fix a memory corruption issue (diff)
downloadlinux-37c20b2effe987b806c8de6d12978e4ffeff026f.tar.xz
linux-37c20b2effe987b806c8de6d12978e4ffeff026f.zip
wifi: cfg80211: fix cqm_config access race
Max Schulze reports crashes with brcmfmac. The reason seems to be a race between userspace removing the CQM config and the driver calling cfg80211_cqm_rssi_notify(), where if the data is freed while cfg80211_cqm_rssi_notify() runs it will crash since it assumes wdev->cqm_config is set. This can't be fixed with a simple non-NULL check since there's nothing we can do for locking easily, so use RCU instead to protect the pointer, but that requires pulling the updates out into an asynchronous worker so they can sleep and call back into the driver. Since we need to change the free anyway, also change it to go back to the old settings if changing the settings fails. Reported-and-tested-by: Max Schulze <max.schulze@online.de> Closes: https://lore.kernel.org/r/ac96309a-8d8d-4435-36e6-6d152eb31876@online.de Fixes: 4a4b8169501b ("cfg80211: Accept multiple RSSI thresholds for CQM") Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'include/net/cfg80211.h')
-rw-r--r--include/net/cfg80211.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index ed3bc2a78d82..aebfa54d547a 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -6013,7 +6013,8 @@ struct wireless_dev {
} wext;
#endif
- struct cfg80211_cqm_config *cqm_config;
+ struct wiphy_work cqm_rssi_work;
+ struct cfg80211_cqm_config __rcu *cqm_config;
struct list_head pmsr_list;
spinlock_t pmsr_lock;