cfg80211: fix in nl80211_set_reg()

commit 61405e97788b1bc4e7c5be5b4ec04a73fc11bac2 upstream.

There is a race on access to last_request and its alpha2
through reg_is_valid_request() and us possibly processing
first another regulatory request on another CPU. We avoid
this improbably race by locking with the cfg80211_mutex as
we should have done in the first place. While at it add
the assert on locking on reg_is_valid_request().

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 641e3e26c09cb401468ddb32cddc688b062b294c..b759106522ffa31d6b3dd1979adf7c234beceb39 100644 (file)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2388,6 +2388,8 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
                        return -EINVAL;
        }
 
+       mutex_lock(&cfg80211_mutex);
+
        if (!reg_is_valid_request(alpha2)) {
                r = -EINVAL;
                goto bad_reg;
@@ -2425,13 +2427,14 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info)
 
        BUG_ON(rule_idx != num_rules);
 
-       mutex_lock(&cfg80211_mutex);
        r = set_regdom(rd);
+
        mutex_unlock(&cfg80211_mutex);
 
        return r;
 
  bad_reg:
+       mutex_unlock(&cfg80211_mutex);
        kfree(rd);
        return r;
 }

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index d3ac70551ce2eeb0f029ffcbd33ab7eb85b46ae1..9765bc892f0fb31413cfaed8b0ba3deeb01f23f2 100644 (file)
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -389,6 +389,8 @@ static int call_crda(const char *alpha2)
 /* Used by nl80211 before kmalloc'ing our regulatory domain */
 bool reg_is_valid_request(const char *alpha2)
 {
+       assert_cfg80211_lock();
+
        if (!last_request)
                return false;