On Sat, Aug 3, 2024 at 3:53 PM Janne Grunau via B4 Relay devnull+j.jannau.net@kernel.org wrote:
From: Janne Grunau j@jannau.net
wpa_supplicant 2.11 sends since 1efdba5fdc2c ("Handle PMKSA flush in the driver for SAE/OWE offload cases") SSID based PMKSA del commands. brcmfmac is not prepared and tries to dereference the NULL bssid and pmkid pointers in cfg80211_pmksa. PMKID_V3 operations support SSID based updates so copy the SSID.
Fixes: a96202acaea4 ("wifi: brcmfmac: cfg80211: Add support for PMKID_V3 operations") Cc: stable@vger.kernel.org Signed-off-by: Janne Grunau j@jannau.net
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 5fe0e671ecb3..826b768196e2 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c @@ -4320,9 +4320,16 @@ brcmf_pmksa_v3_op(struct brcmf_if *ifp, struct cfg80211_pmksa *pmksa, /* Single PMK operation */ pmk_op->count = cpu_to_le16(1); length += sizeof(struct brcmf_pmksa_v3);
memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN);
memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN);
pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN;
if (pmksa->bssid)
memcpy(pmk_op->pmk[0].bssid, pmksa->bssid, ETH_ALEN);
if (pmksa->pmkid) {
memcpy(pmk_op->pmk[0].pmkid, pmksa->pmkid, WLAN_PMKID_LEN);
pmk_op->pmk[0].pmkid_len = WLAN_PMKID_LEN;
}
if (pmksa->ssid && pmksa->ssid_len) {
memcpy(pmk_op->pmk[0].ssid.SSID, pmksa->ssid, pmksa->ssid_len);
pmk_op->pmk[0].ssid.SSID_len = pmksa->ssid_len;
} pmk_op->pmk[0].time_left = cpu_to_le32(alive ? BRCMF_PMKSA_NO_EXPIRY : 0); }
base-commit: 0c3836482481200ead7b416ca80c68a29cfdaabd change-id: 20240803-brcmfmac_pmksa_del_ssid-3c35efe35330
This looks reasonable to me and works on my Macs.
Reviewed-by: Neal Gompa neal@gompa.dev
-- 真実はいつも一つ!/ Always, there's only one truth!