From: Johannes Berg <johannes.berg@intel.com>
Date: Mon, 29 Jan 2024 14:53:48 +0000 (+0100)
Subject: wifi: mac80211: fix RCU use in TDLS fast-xmit
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=9480adfe4e0f0319b9da04b44e4eebd5ad07e0cd;p=linux.git

wifi: mac80211: fix RCU use in TDLS fast-xmit

This looks up the link under RCU protection, but isn't
guaranteed to actually have protection. Fix that.

Fixes: 8cc07265b691 ("wifi: mac80211: handle TDLS data frames with MLO")
Link: https://msgid.link/20240129155348.8a9c0b1e1d89.I553f96ce953bb41b0b877d592056164dec20d01c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 68a48abc72876..e448ab3384489 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3100,10 +3100,11 @@ void ieee80211_check_fast_xmit(struct sta_info *sta)
 			/* DA SA BSSID */
 			build.da_offs = offsetof(struct ieee80211_hdr, addr1);
 			build.sa_offs = offsetof(struct ieee80211_hdr, addr2);
+			rcu_read_lock();
 			link = rcu_dereference(sdata->link[tdls_link_id]);
-			if (WARN_ON_ONCE(!link))
-				break;
-			memcpy(hdr->addr3, link->u.mgd.bssid, ETH_ALEN);
+			if (!WARN_ON_ONCE(!link))
+				memcpy(hdr->addr3, link->u.mgd.bssid, ETH_ALEN);
+			rcu_read_unlock();
 			build.hdr_len = 24;
 			break;
 		}