Message ID | 20240803-brcmfmac_pmksa_del_ssid-v1-1-4e85f19135e1@jannau.net |
---|---|
State | New |
Headers | show |
Series | wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion | expand |
On Sat, Aug 3, 2024 at 3:53 PM Janne Grunau via B4 Relay <devnull+j.jannau.net@kernel.org> wrote: > > From: Janne Grunau <j@jannau.net> > > wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the > driver for SAE/OWE offload cases") SSID based PMKSA del commands. > brcmfmac is not prepared and tries to dereference the NULL bssid and > pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based > updates so copy the SSID. > > Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations") > Cc: stable@vger.kernel.org > Signed-off-by: Janne Grunau <j@jannau.net> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > index 5fe0e671ecb3..826b768196e2 100644 > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c > @@ -4320,9 +4320,16 @@ brcmf_pmksa_v3_op(struct brcmf_if *ifp, struct cfg80211_pmksa *pmksa, > /* Single PMK operation */ > pmk_op->count = cpu_to_le16(1); > length += sizeof(struct brcmf_pmksa_v3); > - memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); > - memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); > - pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; > + if (pmksa->bssid) > + memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); > + if (pmksa->pmkid) { > + memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); > + pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; > + } > + if (pmksa->ssid && pmksa->ssid_len) { > + memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len); > + pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len; > + } > pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0); > } > > > --- > base-commit: 0c3836482481200ead7b416ca80c68a29cfdaabd > change-id: 20240803-brcmfmac_pmksa_del_ssid-3c35efe35330 > This looks reasonable to me and works on my Macs. Reviewed-by: Neal Gompa <neal@gompa.dev> -- 真実はいつも一つ!/ Always, there's only one truth!
Janne Grunau via B4 Relay <devnull+j.jannau.net@kernel.org> wrote: > From: Janne Grunau <j@jannau.net> > > wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the > driver for SAE/OWE offload cases") SSID based PMKSA del commands. > brcmfmac is not prepared and tries to dereference the NULL bssid and > pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based > updates so copy the SSID. > > Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations") > Cc: stable@vger.kernel.org > Signed-off-by: Janne Grunau <j@jannau.net> > Reviewed-by: Neal Gompa <neal@gompa.dev> Arend, what do you think? And as this is a regression I guess this should go to wireless tree?
On 8/3/2024 9:52 PM, Janne Grunau via B4 Relay wrote: > From: Janne Grunau <j@jannau.net> > > wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the > driver for SAE/OWE offload cases") SSID based PMKSA del commands. > brcmfmac is not prepared and tries to dereference the NULL bssid and > pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based > updates so copy the SSID. > > Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations") >- Cc: stable@vger.kernel.org + Cc: stable@vger.kernel.org # 6.4.x This should be applied to the wireless tree. Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> > Signed-off-by: Janne Grunau <j@jannau.net> > --- > drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 ++++++++++--- > 1 file changed, 10 insertions(+), 3 deletions(-)
Janne Grunau via B4 Relay <devnull+j.jannau.net@kernel.org> wrote: > From: Janne Grunau <j@jannau.net> > > wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the > driver for SAE/OWE offload cases") SSID based PMKSA del commands. > brcmfmac is not prepared and tries to dereference the NULL bssid and > pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based > updates so copy the SSID. > > Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations") > Cc: stable@vger.kernel.org # 6.4.x > Signed-off-by: Janne Grunau <j@jannau.net> > Reviewed-by: Neal Gompa <neal@gompa.dev> > Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Patch applied to wireless.git, thanks. 2ad4e1ada8ee wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 5fe0e671ecb3..826b768196e2 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -4320,9 +4320,16 @@ brcmf_pmksa_v3_op(struct brcmf_if *ifp, struct cfg80211_pmksa *pmksa, /* Single PMK operation */ pmk_op->count = cpu_to_le16(1); length += sizeof(struct brcmf_pmksa_v3); - memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); - memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); - pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; + if (pmksa->bssid) + memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN); + if (pmksa->pmkid) { + memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN); + pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN; + } + if (pmksa->ssid && pmksa->ssid_len) { + memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len); + pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len; + } pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0); }