diff options
| author | Jouni Malinen <jouni.malinen@atheros.com> | 2008-08-28 08:12:06 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-09-02 17:39:50 -0400 |
| commit | 2b58b209399844995ad48e421267e359e16c03db (patch) | |
| tree | 25f04fc9b6efa005666fff54f0ccecc38fa32b83 | |
| parent | 9a52028e534b0567913a4144060e774891c00a37 (diff) | |
mac80211: Fix debugfs union misuse and pointer corruption
debugfs union in struct ieee80211_sub_if_data is misused by including a
common default_key dentry as a union member. This ends occupying the same
memory area with the first dentry in other union members (structures;
usually drop_unencrypted). Consequently, debugfs operations on
default_key symlinks and drop_unencrypted entry are using the same
dentry pointer even though they are supposed to be separate ones. This
can lead to removing entries incorrectly or potentially leaving
something behind since one of the dentry pointers gets lost.
Fix this by moving the default_key dentry to a new struct
(common_debugfs) that contains dentries (more to be added in future)
that are shared by all vif types. The debugfs union must only be used
for vif type-specific entries to avoid this type of pointer corruption.
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | net/mac80211/debugfs_key.c | 6 | ||||
| -rw-r--r-- | net/mac80211/ieee80211_i.h | 4 |
2 files changed, 6 insertions, 4 deletions
diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c index 7439b63df5d..cf82acec913 100644 --- a/net/mac80211/debugfs_key.c +++ b/net/mac80211/debugfs_key.c | |||
| @@ -265,7 +265,7 @@ void ieee80211_debugfs_key_add_default(struct ieee80211_sub_if_data *sdata) | |||
| 265 | key = sdata->default_key; | 265 | key = sdata->default_key; |
| 266 | if (key) { | 266 | if (key) { |
| 267 | sprintf(buf, "../keys/%d", key->debugfs.cnt); | 267 | sprintf(buf, "../keys/%d", key->debugfs.cnt); |
| 268 | sdata->debugfs.default_key = | 268 | sdata->common_debugfs.default_key = |
| 269 | debugfs_create_symlink("default_key", | 269 | debugfs_create_symlink("default_key", |
| 270 | sdata->debugfsdir, buf); | 270 | sdata->debugfsdir, buf); |
| 271 | } else | 271 | } else |
| @@ -277,8 +277,8 @@ void ieee80211_debugfs_key_remove_default(struct ieee80211_sub_if_data *sdata) | |||
| 277 | if (!sdata) | 277 | if (!sdata) |
| 278 | return; | 278 | return; |
| 279 | 279 | ||
| 280 | debugfs_remove(sdata->debugfs.default_key); | 280 | debugfs_remove(sdata->common_debugfs.default_key); |
| 281 | sdata->debugfs.default_key = NULL; | 281 | sdata->common_debugfs.default_key = NULL; |
| 282 | } | 282 | } |
| 283 | 283 | ||
| 284 | void ieee80211_debugfs_key_sta_del(struct ieee80211_key *key, | 284 | void ieee80211_debugfs_key_sta_del(struct ieee80211_key *key, |
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 586a9b49b0f..4498d871365 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h | |||
| @@ -496,8 +496,10 @@ struct ieee80211_sub_if_data { | |||
| 496 | struct { | 496 | struct { |
| 497 | struct dentry *mode; | 497 | struct dentry *mode; |
| 498 | } monitor; | 498 | } monitor; |
| 499 | struct dentry *default_key; | ||
| 500 | } debugfs; | 499 | } debugfs; |
| 500 | struct { | ||
| 501 | struct dentry *default_key; | ||
| 502 | } common_debugfs; | ||
| 501 | 503 | ||
| 502 | #ifdef CONFIG_MAC80211_MESH | 504 | #ifdef CONFIG_MAC80211_MESH |
| 503 | struct dentry *mesh_stats_dir; | 505 | struct dentry *mesh_stats_dir; |