Hello,
On 8/29/24 10:17, Jiawei Ye wrote:
> In the `wilc_parse_join_bss_param` function, the TSF field of the `ies`
> structure is accessed after the RCU read-side critical section is
> unlocked. According to RCU usage rules, this is illegal. Reusing this
> pointer can lead to unpredictable behavior, including accessing memory
> that has been updated or causing use-after-free issues.
>
> This possible bug was identified using a static analysis tool developed
> by myself, specifically designed to detect RCU-related issues.
>
> To address this, the TSF value is now stored in a local variable
> `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is
> then assigned using this local variable, ensuring that the TSF value is
> safely accessed.
>
> Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
> Signed-off-by: Jiawei Ye <jiawei.ye@xxxxxxxxxxx>
I guess you are right, that indeed looks like a miss from 205c50306acf. And I
guess it needs wilc to receive packets with P2P info in it to trigger a RCU splat.
Reviewed-by: Alexis Lothoré <alexis.lothore@xxxxxxxxxxx>
--
Alexis Lothoré, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
