The variable link is accessed under RCU protection, but isn't guaranteed to
actually have protection. So add rcu_read_lock() and rcu_read_unlock() to
ensure RCU protection.

This is similar to the commit 9480adfe4e0f("wifi: mac80211: fix RCU 
 use in TDLS fast-xmit").

Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
---
 net/mac80211/tx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 00671ae45b2f..94ac7f954cb8 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2773,12 +2773,15 @@ static struct sk_buff *ieee80211_build_hdr(struct ieee80211_sub_if_data *sdata,
 			/* DA SA BSSID */
 			memcpy(hdr.addr1, skb->data, ETH_ALEN);
 			memcpy(hdr.addr2, skb->data + ETH_ALEN, ETH_ALEN);
+			rcu_read_lock();
 			link = rcu_dereference(sdata->link[tdls_link_id]);
 			if (WARN_ON_ONCE(!link)) {
 				ret = -EINVAL;
+				rcu_read_unlock();
 				goto free;
 			}
 			memcpy(hdr.addr3, link->u.mgd.bssid, ETH_ALEN);
+			rcu_read_unlock();
 			hdrlen = 24;
 		}  else if (sdata->u.mgd.use_4addr &&
 			    cpu_to_be16(ethertype) != sdata->control_port_protocol) {
-- 
2.34.1