mac80211: fix ieee80211_ioctl_giwrate

The ieee80211_ioctl_giwrate() ioctl handler doesn't rcu_read_lock()
its access to the sta table, fix it.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/ieee80211_ioctl.c b/net/mac80211/ieee80211_ioctl.c
index b047eebb6330b52ae567312ef6b6d7ab29678cbc..41130b3031709af8269c63f4f6b3184c6d33c900 100644 (file)
--- a/net/mac80211/ieee80211_ioctl.c
+++ b/net/mac80211/ieee80211_ioctl.c
@@ -586,19 +586,25 @@ static int ieee80211_ioctl_giwrate(struct net_device *dev,
 
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
 
-       if (sdata->vif.type == IEEE80211_IF_TYPE_STA)
-               sta = sta_info_get(local, sdata->u.sta.bssid);
-       else
+       if (sdata->vif.type != IEEE80211_IF_TYPE_STA)
                return -EOPNOTSUPP;
-       if (!sta)
-               return -ENODEV;
 
        sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
 
-       if (sta->txrate_idx < sband->n_bitrates)
+       rcu_read_lock();
+
+       sta = sta_info_get(local, sdata->u.sta.bssid);
+
+       if (sta && sta->txrate_idx < sband->n_bitrates)
                rate->value = sband->bitrates[sta->txrate_idx].bitrate;
        else
                rate->value = 0;
+
+       rcu_read_unlock();
+
+       if (!sta)
+               return -ENODEV;
+
        rate->value *= 100000;
 
        return 0;