mac80211: fix a few RCU issues

BugLink: http://bugs.launchpad.net/bugs/793702

commit a3836e02ba4c50db958d32d710b226f2408623dc upstream.

A few configuration functions correctly do
rcu_read_lock() but don't correctly reference
some pointers protected by RCU. Fix that.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 40f7357..c35dcf7 100644 (file)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -228,11 +228,11 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
                        goto out;
 
                if (pairwise)
-                       key = sta->ptk;
+                       key = rcu_dereference(sta->ptk);
                else if (key_idx < NUM_DEFAULT_KEYS)
-                       key = sta->gtk[key_idx];
+                       key = rcu_dereference(sta->gtk[key_idx]);
        } else
-               key = sdata->keys[key_idx];
+               key = rcu_dereference(sdata->keys[key_idx]);
 
        if (!key)
                goto out;
@@ -904,8 +904,10 @@ static int ieee80211_change_mpath(struct wiphy *wiphy,
 static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
                            struct mpath_info *pinfo)
 {
-       if (mpath->next_hop)
-               memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
+       struct sta_info *next_hop_sta = rcu_dereference(mpath->next_hop);
+
+       if (next_hop_sta)
+               memcpy(next_hop, next_hop_sta->sta.addr, ETH_ALEN);
        else
                memset(next_hop, 0, ETH_ALEN);