cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()

The SSID pointer is pointing to RCU protected data, so we
need to have it under rcu_read_lock() for the entire use.
Fix this.

Cc: stable@vger.kernel.org
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Link: https://lore.kernel.org/r/20210930131120.6ddfc603aa1d.I2137344c4e2426525b1a8e4ce5fca82f8ecbfe7e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 11c68b1593245926fc00667c1fb6fe206ddbbd14..adc0d14cfd8609e49628d4e00eeff5f475ded4e9 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -418,14 +418,17 @@ cfg80211_add_nontrans_list(struct cfg80211_bss *trans_bss,
        }
        ssid_len = ssid[1];
        ssid = ssid + 2;
-       rcu_read_unlock();
 
        /* check if nontrans_bss is in the list */
        list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) {
-               if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len))
+               if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len)) {
+                       rcu_read_unlock();
                        return 0;
+               }
        }
 
+       rcu_read_unlock();
+
        /* add to the list */
        list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
        return 0;