... in rtl8xxxu_bss_info_changed().
Commit a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
introduced a line where the pointer returned by ieee80211_find_sta() is
used after rcu_read_unlock().
Move rcu_read_unlock() a bit lower to fix this.
Fixes: a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
Signed-off-by: Bitterblue Smith <[email protected]>
---
My bad. I'm not sure how serious this problem is because I've been using
this code all this time (2+ months) without any trouble. I only noticed
it when moving some of this code into a new function.
---
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index e8fcd531c437..28f136064297 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -4645,7 +4645,6 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
if (sta->deflink.ht_cap.cap &
(IEEE80211_HT_CAP_SGI_40 | IEEE80211_HT_CAP_SGI_20))
sgi = 1;
- rcu_read_unlock();
highest_rate = fls(ramask) - 1;
if (highest_rate < DESC_RATE_MCS0) {
@@ -4670,6 +4669,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
else
rarpt->txrate.bw = RATE_INFO_BW_20;
}
+ rcu_read_unlock();
bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
rarpt->bit_rate = bit_rate;
rarpt->desc_rate = highest_rate;
--
2.38.0
> -----Original Message-----
> From: Bitterblue Smith <[email protected]>
> Sent: Monday, November 21, 2022 4:47 AM
> To: [email protected]
> Cc: Jes Sorensen <[email protected]>
> Subject: [PATCH] wifi: rtl8xxxu: Fix use after rcu_read_unlock()
>
> ... in rtl8xxxu_bss_info_changed().
Mentioned where you modify in subject might be better.
>
> Commit a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
> introduced a line where the pointer returned by ieee80211_find_sta() is
> used after rcu_read_unlock().
>
> Move rcu_read_unlock() a bit lower to fix this.
>
> Fixes: a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
> Signed-off-by: Bitterblue Smith <[email protected]>
> ---
> My bad. I'm not sure how serious this problem is because I've been using
> this code all this time (2+ months) without any trouble. I only noticed
> it when moving some of this code into a new function.
'sta' can be freed if a station leaves, and then causes use-after-free. But,
luckily iface_work processes rtl8xxxu_bss_info_changed() and 'sta' leaving, so
it will not happen at the same time.
> ---
> drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> index e8fcd531c437..28f136064297 100644
> --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
> @@ -4645,7 +4645,6 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> if (sta->deflink.ht_cap.cap &
> (IEEE80211_HT_CAP_SGI_40 | IEEE80211_HT_CAP_SGI_20))
> sgi = 1;
> - rcu_read_unlock();
>
> highest_rate = fls(ramask) - 1;
> if (highest_rate < DESC_RATE_MCS0) {
> @@ -4670,6 +4669,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
> else
> rarpt->txrate.bw = RATE_INFO_BW_20;
> }
> + rcu_read_unlock();
> bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
> rarpt->bit_rate = bit_rate;
> rarpt->desc_rate = highest_rate;
> --
> 2.38.0
>
> ------Please consider the environment before printing this e-mail.
On 21/11/2022 07:39, Ping-Ke Shih wrote:
>
>
>> -----Original Message-----
>> From: Bitterblue Smith <[email protected]>
>> Sent: Monday, November 21, 2022 4:47 AM
>> To: [email protected]
>> Cc: Jes Sorensen <[email protected]>
>> Subject: [PATCH] wifi: rtl8xxxu: Fix use after rcu_read_unlock()
>>
>> ... in rtl8xxxu_bss_info_changed().
>
> Mentioned where you modify in subject might be better.
>
Okay.
>>
>> Commit a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
>> introduced a line where the pointer returned by ieee80211_find_sta() is
>> used after rcu_read_unlock().
>>
>> Move rcu_read_unlock() a bit lower to fix this.
>>
>> Fixes: a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width")
>> Signed-off-by: Bitterblue Smith <[email protected]>
>> ---
>> My bad. I'm not sure how serious this problem is because I've been using
>> this code all this time (2+ months) without any trouble. I only noticed
>> it when moving some of this code into a new function.
>
> 'sta' can be freed if a station leaves, and then causes use-after-free. But,
> luckily iface_work processes rtl8xxxu_bss_info_changed() and 'sta' leaving, so
> it will not happen at the same time.
>
That's good then.
>> ---
>> drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
>> b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
>> index e8fcd531c437..28f136064297 100644
>> --- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
>> +++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
>> @@ -4645,7 +4645,6 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>> if (sta->deflink.ht_cap.cap &
>> (IEEE80211_HT_CAP_SGI_40 | IEEE80211_HT_CAP_SGI_20))
>> sgi = 1;
>> - rcu_read_unlock();
>>
>> highest_rate = fls(ramask) - 1;
>> if (highest_rate < DESC_RATE_MCS0) {
>> @@ -4670,6 +4669,7 @@ rtl8xxxu_bss_info_changed(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
>> else
>> rarpt->txrate.bw = RATE_INFO_BW_20;
>> }
>> + rcu_read_unlock();
>> bit_rate = cfg80211_calculate_bitrate(&rarpt->txrate);
>> rarpt->bit_rate = bit_rate;
>> rarpt->desc_rate = highest_rate;
>> --
>> 2.38.0
>>
>> ------Please consider the environment before printing this e-mail.