Commit 69bd216e authored by Johan Hovold's avatar Johan Hovold Committed by Kalle Valo
Browse files

wifi: ath12k: fix dfs-radar and temperature event locking 



The ath12k active pdevs are protected by RCU but the DFS-radar and
temperature event handling code calling ath12k_mac_get_ar_by_pdev_id()
was not marked as a read-side critical section.

Mark the code in question as RCU read-side critical sections to avoid
any potential use-after-free issues.

Note that the temperature event handler looks like a place holder
currently but would still trigger an RCU lockdep splat.

Compile tested only.

Fixes: d8899132 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Cc: stable@vger.kernel.org	# v6.2
Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
Acked-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
Signed-off-by: default avatarKalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231019113650.9060-2-johan+linaro@kernel.org
parent 1dea3c07

drivers/net/wireless/ath/ath12k/wmi.c

+10 −1
Original line number Diff line number Diff line
@@ -6515,6 +6515,8 @@ ath12k_wmi_pdev_dfs_radar_detected_event(struct ath12k_base *ab, struct sk_buff 
		   ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp,

		   ev->freq_offset, ev->sidx);



	rcu_read_lock();



	ar = ath12k_mac_get_ar_by_pdev_id(ab, le32_to_cpu(ev->pdev_id));



	if (!ar) {
@@ -6532,6 +6534,8 @@ ath12k_wmi_pdev_dfs_radar_detected_event(struct ath12k_base *ab, struct sk_buff 
		ieee80211_radar_detected(ar->hw);



exit:

	rcu_read_unlock();



	kfree(tb);

}
@@ -6550,11 +6554,16 @@ ath12k_wmi_pdev_temperature_event(struct ath12k_base *ab, 
	ath12k_dbg(ab, ATH12K_DBG_WMI,

		   "pdev temperature ev temp %d pdev_id %d\n", ev.temp, ev.pdev_id);



	rcu_read_lock();



	ar = ath12k_mac_get_ar_by_pdev_id(ab, le32_to_cpu(ev.pdev_id));

	if (!ar) {

		ath12k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev.pdev_id);

		return;

		goto exit;

	}



exit:

	rcu_read_unlock();

}



static void ath12k_fils_discovery_event(struct ath12k_base *ab,