Userspace can add keys to an AP mode interface before start_ap has been
called. If there have been no calls to start_ap/stop_ap in the mean
time, the keys will still be around when the interface is brought down.
Signed-off-by: Felix Fietkau <[email protected]>
---
net/mac80211/iface.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index af23722..b8efd5b 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -931,9 +931,6 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
* another CPU.
*/
ieee80211_free_keys(sdata, true);
-
- /* fall through */
- case NL80211_IFTYPE_AP:
skb_queue_purge(&sdata->skb_queue);
}
--
2.1.2
On Mon, 2014-10-27 at 11:56 +0100, Felix Fietkau wrote:
> Userspace can add keys to an AP mode interface before start_ap has been
> called. If there have been no calls to start_ap/stop_ap in the mean
> time, the keys will still be around when the interface is brought down.
I applied the following modified version.
johannes
>From 10b68487869031828aede7313c2befc53d6d30ec Mon Sep 17 00:00:00 2001
From: Felix Fietkau <[email protected]>
Date: Mon, 27 Oct 2014 11:56:06 +0100
Subject: [PATCH] mac80211: flush keys for AP mode on ieee80211_do_stop
Userspace can add keys to an AP mode interface before start_ap has been
called. If there have been no calls to start_ap/stop_ap in the mean
time, the keys will still be around when the interface is brought down.
Signed-off-by: Felix Fietkau <[email protected]>
[adjust comments, fix AP_VLAN case]
Signed-off-by: Johannes Berg <[email protected]>
---
net/mac80211/iface.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index af237223a8cd..3b9e2b7b3f30 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -898,6 +898,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
list_del(&sdata->u.vlan.list);
mutex_unlock(&local->mtx);
RCU_INIT_POINTER(sdata->vif.chanctx_conf, NULL);
+ /* see comment in the default case below */
+ ieee80211_free_keys(sdata, true);
/* no need to tell driver */
break;
case NL80211_IFTYPE_MONITOR:
@@ -923,17 +925,16 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
/*
* When we get here, the interface is marked down.
* Free the remaining keys, if there are any
- * (shouldn't be, except maybe in WDS mode?)
+ * (which can happen in AP mode if userspace sets
+ * keys before the interface is operating, and maybe
+ * also in WDS mode)
*
* Force the key freeing to always synchronize_net()
* to wait for the RX path in case it is using this
- * interface enqueuing frames * at this very time on
+ * interface enqueuing frames at this very time on
* another CPU.
*/
ieee80211_free_keys(sdata, true);
-
- /* fall through */
- case NL80211_IFTYPE_AP:
skb_queue_purge(&sdata->skb_queue);
}
--
2.1.0