wifi: cfg80211: hold wiphy mutex for send_interface

jmberg-intel · jmberg-intel · commit 103317670e6b · 2023-11-24T18:30:48.000+01:00
Given all the locking rework in mac80211, we pretty much need to get into the driver with the wiphy mutex held in all callbacks. This is already mostly the case, but as Johan reported, in the get_txpower it may not be true. Lock the wiphy mutex around nl80211_send_iface(), then is also around callers of nl80211_notify_iface(). This is easy to do, fixes the problem, and aligns the locking between various calls to it in different parts of the code of cfg80211. Fixes: 0e8185c ("wifi: mac80211: check wiphy mutex in ops") Reported-by: Johan Hovold <johan@kernel.org> Closes: https://lore.kernel.org/r/ZVOXX6qg4vXEx8dX@hovoldconsulting.com Tested-by: Johan Hovold <johan+linaro@kernel.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
diff --git a/net/wireless/core.c b/net/wireless/core.c
@@ -191,13 +191,13 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,
 		return err;
 	}
 
+	wiphy_lock(&rdev->wiphy);
 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 		if (!wdev->netdev)
 			continue;
 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE);
 	}
 
-	wiphy_lock(&rdev->wiphy);
 	nl80211_notify_wiphy(rdev, NL80211_CMD_DEL_WIPHY);
 
 	wiphy_net_set(&rdev->wiphy, net);
@@ -206,13 +206,13 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,
 	WARN_ON(err);
 
 	nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);
-	wiphy_unlock(&rdev->wiphy);
 
 	list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 		if (!wdev->netdev)
 			continue;
 		nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);
 	}
+	wiphy_unlock(&rdev->wiphy);
 
 	return 0;
 }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
@@ -3822,6 +3822,8 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
 	struct net_device *dev = wdev->netdev;
 	void *hdr;
 
+	lockdep_assert_wiphy(&rdev->wiphy);
+
 	WARN_ON(cmd != NL80211_CMD_NEW_INTERFACE &&
 		cmd != NL80211_CMD_DEL_INTERFACE &&
 		cmd != NL80211_CMD_SET_INTERFACE);
@@ -3989,6 +3991,7 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *
 
 		if_idx = 0;
 
+		wiphy_lock(&rdev->wiphy);
 		list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {
 			if (if_idx < if_start) {
 				if_idx++;
@@ -3998,10 +4001,12 @@ static int nl80211_dump_interface(struct sk_buff *skb, struct netlink_callback *
 					       cb->nlh->nlmsg_seq, NLM_F_MULTI,
 					       rdev, wdev,
 					       NL80211_CMD_NEW_INTERFACE) < 0) {
+				wiphy_unlock(&rdev->wiphy);
 				goto out;
 			}
 			if_idx++;
 		}
+		wiphy_unlock(&rdev->wiphy);
 
 		wp_idx++;
 	}

Original file line number	Diff line number	Diff line change
`@@ -191,13 +191,13 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,`
`191`	`191`	`return err;`
`192`	`192`	`}`
`193`	`193`
	`194`	`+ wiphy_lock(&rdev->wiphy);`
`194`	`195`	`list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {`
`195`	`196`	`if (!wdev->netdev)`
`196`	`197`	`continue;`
`197`	`198`	`nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE);`
`198`	`199`	`}`
`199`	`200`
`200`		`- wiphy_lock(&rdev->wiphy);`
`201`	`201`	`nl80211_notify_wiphy(rdev, NL80211_CMD_DEL_WIPHY);`
`202`	`202`
`203`	`203`	`wiphy_net_set(&rdev->wiphy, net);`
`@@ -206,13 +206,13 @@ int cfg80211_switch_netns(struct cfg80211_registered_device *rdev,`
`206`	`206`	`WARN_ON(err);`
`207`	`207`
`208`	`208`	`nl80211_notify_wiphy(rdev, NL80211_CMD_NEW_WIPHY);`
`209`		`- wiphy_unlock(&rdev->wiphy);`
`210`	`209`
`211`	`210`	`list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list) {`
`212`	`211`	`if (!wdev->netdev)`
`213`	`212`	`continue;`
`214`	`213`	`nl80211_notify_iface(rdev, wdev, NL80211_CMD_NEW_INTERFACE);`
`215`	`214`	`}`
	`215`	`+ wiphy_unlock(&rdev->wiphy);`
`216`	`216`
`217`	`217`	`return 0;`
`218`	`218`	`}`