diff options
| author | Tomas Winkler <tomas.winkler@intel.com> | 2008-11-25 16:29:03 -0500 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2008-12-05 09:18:34 -0500 |
| commit | 40a9a8299116297429298e8fcee08235134883f7 (patch) | |
| tree | 5e5866e058a89405fe03e1603848a3440ab582ee /drivers | |
| parent | f706644d55f90e8306d87060168fef33804d6dd9 (diff) | |
iwlwifi: clean key table in iwl_clear_stations_table function
This patch cleans uCode key table bit map iwl_clear_stations_table
since all stations are cleared also the key table must be.
Since the keys are not removed properly on suspend by mac80211
this may result in exhausting key table on resume leading
to memory corruption during removal
This patch also fixes a memory corruption problem reported in
http://marc.info/?l=linux-wireless&m=122641417231586&w=2 and tracked in
http://bugzilla.kernel.org/show_bug.cgi?id=12040.
When the key is removed a second time the offset is set to 255 - this
index is not valid for the ucode_key_table and corrupts the eeprom pointer
(which is 255 bits from ucode_key_table).
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Reported-by: Carlos R. Mafra <crmafra2@gmail.com>
Reported-by: Lukas Hejtmanek <xhejtman@ics.muni.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-core.c | 3 | ||||
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-sta.c | 24 |
2 files changed, 24 insertions, 3 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-core.c b/drivers/net/wireless/iwlwifi/iwl-core.c index 4c312c55f90c..01a845851338 100644 --- a/drivers/net/wireless/iwlwifi/iwl-core.c +++ b/drivers/net/wireless/iwlwifi/iwl-core.c | |||
| @@ -290,6 +290,9 @@ void iwl_clear_stations_table(struct iwl_priv *priv) | |||
| 290 | priv->num_stations = 0; | 290 | priv->num_stations = 0; |
| 291 | memset(priv->stations, 0, sizeof(priv->stations)); | 291 | memset(priv->stations, 0, sizeof(priv->stations)); |
| 292 | 292 | ||
| 293 | /* clean ucode key table bit map */ | ||
| 294 | priv->ucode_key_table = 0; | ||
| 295 | |||
| 293 | spin_unlock_irqrestore(&priv->sta_lock, flags); | 296 | spin_unlock_irqrestore(&priv->sta_lock, flags); |
| 294 | } | 297 | } |
| 295 | EXPORT_SYMBOL(iwl_clear_stations_table); | 298 | EXPORT_SYMBOL(iwl_clear_stations_table); |
diff --git a/drivers/net/wireless/iwlwifi/iwl-sta.c b/drivers/net/wireless/iwlwifi/iwl-sta.c index 61797f3f8d5c..26f7084d3011 100644 --- a/drivers/net/wireless/iwlwifi/iwl-sta.c +++ b/drivers/net/wireless/iwlwifi/iwl-sta.c | |||
| @@ -475,7 +475,7 @@ static int iwl_get_free_ucode_key_index(struct iwl_priv *priv) | |||
| 475 | if (!test_and_set_bit(i, &priv->ucode_key_table)) | 475 | if (!test_and_set_bit(i, &priv->ucode_key_table)) |
| 476 | return i; | 476 | return i; |
| 477 | 477 | ||
| 478 | return -1; | 478 | return WEP_INVALID_OFFSET; |
| 479 | } | 479 | } |
| 480 | 480 | ||
| 481 | int iwl_send_static_wepkey_cmd(struct iwl_priv *priv, u8 send_if_empty) | 481 | int iwl_send_static_wepkey_cmd(struct iwl_priv *priv, u8 send_if_empty) |
| @@ -620,6 +620,9 @@ static int iwl_set_wep_dynamic_key_info(struct iwl_priv *priv, | |||
| 620 | /* else, we are overriding an existing key => no need to allocated room | 620 | /* else, we are overriding an existing key => no need to allocated room |
| 621 | * in uCode. */ | 621 | * in uCode. */ |
| 622 | 622 | ||
| 623 | WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET, | ||
| 624 | "no space for new kew"); | ||
| 625 | |||
| 623 | priv->stations[sta_id].sta.key.key_flags = key_flags; | 626 | priv->stations[sta_id].sta.key.key_flags = key_flags; |
| 624 | priv->stations[sta_id].sta.sta.modify_mask = STA_MODIFY_KEY_MASK; | 627 | priv->stations[sta_id].sta.sta.modify_mask = STA_MODIFY_KEY_MASK; |
| 625 | priv->stations[sta_id].sta.mode = STA_CONTROL_MODIFY_MSK; | 628 | priv->stations[sta_id].sta.mode = STA_CONTROL_MODIFY_MSK; |
| @@ -637,6 +640,7 @@ static int iwl_set_ccmp_dynamic_key_info(struct iwl_priv *priv, | |||
| 637 | { | 640 | { |
| 638 | unsigned long flags; | 641 | unsigned long flags; |
| 639 | __le16 key_flags = 0; | 642 | __le16 key_flags = 0; |
| 643 | int ret; | ||
| 640 | 644 | ||
| 641 | key_flags |= (STA_KEY_FLG_CCMP | STA_KEY_FLG_MAP_KEY_MSK); | 645 | key_flags |= (STA_KEY_FLG_CCMP | STA_KEY_FLG_MAP_KEY_MSK); |
| 642 | key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); | 646 | key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); |
| @@ -664,14 +668,18 @@ static int iwl_set_ccmp_dynamic_key_info(struct iwl_priv *priv, | |||
| 664 | /* else, we are overriding an existing key => no need to allocated room | 668 | /* else, we are overriding an existing key => no need to allocated room |
| 665 | * in uCode. */ | 669 | * in uCode. */ |
| 666 | 670 | ||
| 671 | WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET, | ||
| 672 | "no space for new kew"); | ||
| 673 | |||
| 667 | priv->stations[sta_id].sta.key.key_flags = key_flags; | 674 | priv->stations[sta_id].sta.key.key_flags = key_flags; |
| 668 | priv->stations[sta_id].sta.sta.modify_mask = STA_MODIFY_KEY_MASK; | 675 | priv->stations[sta_id].sta.sta.modify_mask = STA_MODIFY_KEY_MASK; |
| 669 | priv->stations[sta_id].sta.mode = STA_CONTROL_MODIFY_MSK; | 676 | priv->stations[sta_id].sta.mode = STA_CONTROL_MODIFY_MSK; |
| 670 | 677 | ||
| 678 | ret = iwl_send_add_sta(priv, &priv->stations[sta_id].sta, CMD_ASYNC); | ||
| 679 | |||
| 671 | spin_unlock_irqrestore(&priv->sta_lock, flags); | 680 | spin_unlock_irqrestore(&priv->sta_lock, flags); |
| 672 | 681 | ||
| 673 | IWL_DEBUG_INFO("hwcrypto: modify ucode station key info\n"); | 682 | return ret; |
| 674 | return iwl_send_add_sta(priv, &priv->stations[sta_id].sta, CMD_ASYNC); | ||
| 675 | } | 683 | } |
| 676 | 684 | ||
| 677 | static int iwl_set_tkip_dynamic_key_info(struct iwl_priv *priv, | 685 | static int iwl_set_tkip_dynamic_key_info(struct iwl_priv *priv, |
| @@ -696,6 +704,9 @@ static int iwl_set_tkip_dynamic_key_info(struct iwl_priv *priv, | |||
| 696 | /* else, we are overriding an existing key => no need to allocated room | 704 | /* else, we are overriding an existing key => no need to allocated room |
| 697 | * in uCode. */ | 705 | * in uCode. */ |
| 698 | 706 | ||
| 707 | WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET, | ||
| 708 | "no space for new kew"); | ||
| 709 | |||
| 699 | /* This copy is acutally not needed: we get the key with each TX */ | 710 | /* This copy is acutally not needed: we get the key with each TX */ |
| 700 | memcpy(priv->stations[sta_id].keyinfo.key, keyconf->key, 16); | 711 | memcpy(priv->stations[sta_id].keyinfo.key, keyconf->key, 16); |
| 701 | 712 | ||
| @@ -734,6 +745,13 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv, | |||
| 734 | return 0; | 745 | return 0; |
| 735 | } | 746 | } |
| 736 | 747 | ||
| 748 | if (priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET) { | ||
| 749 | IWL_WARNING("Removing wrong key %d 0x%x\n", | ||
| 750 | keyconf->keyidx, key_flags); | ||
| 751 | spin_unlock_irqrestore(&priv->sta_lock, flags); | ||
| 752 | return 0; | ||
| 753 | } | ||
| 754 | |||
| 737 | if (!test_and_clear_bit(priv->stations[sta_id].sta.key.key_offset, | 755 | if (!test_and_clear_bit(priv->stations[sta_id].sta.key.key_offset, |
| 738 | &priv->ucode_key_table)) | 756 | &priv->ucode_key_table)) |
| 739 | IWL_ERROR("index %d not used in uCode key table.\n", | 757 | IWL_ERROR("index %d not used in uCode key table.\n", |