From: Edward Adam Davis <eadavis@qq.com>
Date: Wed, 3 Jan 2024 12:13:51 +0000 (+0800)
Subject: wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=1184950e341c11b6f82bc5b59564411d9537ab27;p=linux.git

wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update

Replace rcu_dereference() with rcu_access_pointer() since we hold
the lock here (and aren't in an RCU critical section).

Fixes: 32af9a9e1069 ("wifi: cfg80211: free beacon_ies when overridden from hidden BSS")
Reported-and-tested-by: syzbot+864a269c27ee06b58374@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Link: https://msgid.link/tencent_BF8F0DF0258C8DBF124CDDE4DD8D992DCF07@qq.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index cf2131671eb6e..7cb8ae87c3693 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1864,7 +1864,7 @@ __cfg80211_bss_update(struct cfg80211_registered_device *rdev,
 					 &hidden->hidden_list);
 				hidden->refcount++;
 
-				ies = (void *)rcu_dereference(new->pub.beacon_ies);
+				ies = (void *)rcu_access_pointer(new->pub.beacon_ies);
 				rcu_assign_pointer(new->pub.beacon_ies,
 						   hidden->pub.beacon_ies);
 				if (ies)