Hi Hector,
On 3/11/23 10:55, Hector Martin wrote:
Hi,
This broke WPA auth entirely on brcmfmac (in offload mode) and probably others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please revert or fix. Notes below.
Reported-by: Ilya me@0upti.me Reported-by: Janne Grunau j@jannau.net
#regzbot introduced: 015b8cc5e7c4d7 #regzbot monitor: https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@wet...
I can confirm this bug, I was seeing broken wifi on brcmfmac with 6.3-rc1 and I was about to start a git bisect for this this morning when I saw this email.
Reverting 015b8cc5e7c4d7 fixes the broken wifi. Hector, thank you, you just saved me from a bisect on somewhat slow hardware :)
Regards,
Hans
On 24/01/2023 23.18, Alexander Wetzel wrote:
Key information in wext.connect is not reset on (re)connect and can hold data from a previous connection.
Reset key data to avoid that drivers or mac80211 incorrectly detect a WEP connection request and access the freed or already reused memory.
Additionally optimize cfg80211_sme_connect() and avoid an useless schedule of conn_work.
Fixes: fffd0934b939 ("cfg80211: rework key operation") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@wetzel-home.d... Signed-off-by: Alexander Wetzel alexander@wetzel-home.de
V2 changes:
- updated comment
- reset more key data
net/wireless/sme.c | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c index 123248b2c0be..0cc841c0c59b 100644 --- a/net/wireless/sme.c +++ b/net/wireless/sme.c
[snip]
@@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev,
This if branch only fires if the connection is WEP.
} else { if (WARN_ON(connkeys)) return -EINVAL;
/* connect can point to wdev->wext.connect which* can hold key data from a previous connection*/connect->key = NULL;connect->key_len = 0;connect->key_idx = 0;And these are indeed only used by WEP.
connect->crypto.cipher_group = 0;connect->crypto.n_ciphers_pairwise = 0;But here you're killing the info that is used for *other* auth modes too if !WEP, breaking WPA and everything else.
} wdev->connect_keys = connkeys;
- Hector