From: Luis R. Rodriguez Date: Wed, 13 May 2009 21:04:41 +0000 (-0400) Subject: cfg80211: fix in nl80211_set_reg() X-Git-Tag: v2.6.30.1~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b4dbf904310eb56ef54b7a033f17651a0d0849f;p=thirdparty%2Fkernel%2Fstable.git cfg80211: fix in nl80211_set_reg() commit 61405e97788b1bc4e7c5be5b4ec04a73fc11bac2 upstream. There is a race on access to last_request and its alpha2 through reg_is_valid_request() and us possibly processing first another regulatory request on another CPU. We avoid this improbably race by locking with the cfg80211_mutex as we should have done in the first place. While at it add the assert on locking on reg_is_valid_request(). Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 641e3e26c09cb..b759106522ffa 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -2388,6 +2388,8 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info) return -EINVAL; } + mutex_lock(&cfg80211_mutex); + if (!reg_is_valid_request(alpha2)) { r = -EINVAL; goto bad_reg; @@ -2425,13 +2427,14 @@ static int nl80211_set_reg(struct sk_buff *skb, struct genl_info *info) BUG_ON(rule_idx != num_rules); - mutex_lock(&cfg80211_mutex); r = set_regdom(rd); + mutex_unlock(&cfg80211_mutex); return r; bad_reg: + mutex_unlock(&cfg80211_mutex); kfree(rd); return r; } diff --git a/net/wireless/reg.c b/net/wireless/reg.c index d3ac70551ce2e..9765bc892f0fb 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -389,6 +389,8 @@ static int call_crda(const char *alpha2) /* Used by nl80211 before kmalloc'ing our regulatory domain */ bool reg_is_valid_request(const char *alpha2) { + assert_cfg80211_lock(); + if (!last_request) return false;