Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1817293ybb;
        Thu, 26 Mar 2020 07:53:04 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vvG3ChURbH7pUoUtxNmwNxtDd8hXr+RJyw+xod0Bs/G5wRjef8LN1KSiiB4qHkNzImDXNiE
X-Received: by 2002:a05:6830:11c1:: with SMTP id v1mr6629369otq.264.1585234384036;
        Thu, 26 Mar 2020 07:53:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585234384; cv=none;
        d=google.com; s=arc-20160816;
        b=vz2cJU+V5gwti+uegm3be3urU6fN0m/zXY8zn0aXRlS3MOUh5pOFp7Tqotx3MZq7t9
         rCq9nHRrbC//VgExegrkh3dxeeHtVuIVWdFvYlttoPbwvtoY6by7p6sSfkSA0QS5rsz5
         q89QSH0TlAn+x52Mn+dh4AoU3JkJ1vOGC2cUtyyzfE42jP5C00YGoaYm3HVxNW9yvlzC
         43W3XKoiYGd1usDOGvzV03N43wy1/S0SzReMDzo5x1Fo9tQ9P+1b1aqm4Xcfo6eferbG
         5fq7/JdNUUNoKx7sRVWa7YpR31BbUdxTQ/U6FV/wCI4q+YZmDJLHvKVWSTdqunqzd4ug
         7NLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=0OnJ56iRlz1ucQfM5fUhlCtp4w2JErDB+ZAqn6BzaOs=;
        b=TlGS6eiivHz/kP0ew8Ddeuwf2YNHCLakh0vtzTOUvgTnenkYFAtkDhMQclZFvBlISE
         6EA3F0LiN4uyShBfO6xPCmh+QVG2xZ0GOt7LmAEOrGZsknGzoXozCpBllqHpxpV5LNnF
         DMuzWl9AlXtFGkU59j6Snf03bKyKkAotyUdDgGxP/q7y5BpCkYWB3MTC5/rHcFuBb69x
         jZ/h6PvpwJTgSuN4SCvupYkj+geI0T5I7yAG0uprAFfuUP0Ve7bokP3xlLn1ZMXhDUJy
         fXOTLH/YWa/ZppKWy+MHL60uNZ38KQtHSle9NHiRT59g9ZbTukuIL0i5RNSSwW8X5N4w
         XMAw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d13si1085292oij.140.2020.03.26.07.52.52;
        Thu, 26 Mar 2020 07:53:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-wireless-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728322AbgCZOvu (ORCPT <rfc822;asselsm@gmail.com> + 99 others);
        Thu, 26 Mar 2020 10:51:50 -0400
Received: from s3.sipsolutions.net ([144.76.43.62]:48760 "EHLO
        sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728203AbgCZOvt (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 26 Mar 2020 10:51:49 -0400
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.93)
        (envelope-from <johannes@sipsolutions.net>)
        id 1jHTrH-00BYfo-RB; Thu, 26 Mar 2020 15:51:47 +0100
From:   Johannes Berg <johannes@sipsolutions.net>
To:     linux-wireless@vger.kernel.org
Cc:     Johannes Berg <johannes.berg@intel.com>, stable@vger.kernel.org
Subject: [PATCH 2/2] mac80211: mark station unauthorized before key removal
Date:   Thu, 26 Mar 2020 15:51:35 +0100
Message-Id: <20200326155133.ccb4fb0bb356.If48f0f0504efdcf16b8921f48c6d3bb2cb763c99@changeid>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid>
References: <20200326155133.ced84317ea29.I34d4c47cd8cc8a4042b38a76f16a601fbcbfd9b3@changeid>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Johannes Berg <johannes.berg@intel.com>

If a station is still marked as authorized, mark it as no longer
so before removing its keys. This allows frames transmitted to it
to be rejected, providing additional protection against leaking
plain text data during the disconnection flow.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/sta_info.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 0f5f40678885..e3572be307d6 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -4,7 +4,7 @@
  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
- * Copyright (C) 2018-2019 Intel Corporation
+ * Copyright (C) 2018-2020 Intel Corporation
  */
 
 #include <linux/module.h>
@@ -1049,6 +1049,11 @@ static void __sta_info_destroy_part2(struct sta_info *sta)
 	might_sleep();
 	lockdep_assert_held(&local->sta_mtx);
 
+	while (sta->sta_state == IEEE80211_STA_AUTHORIZED) {
+		ret = sta_info_move_state(sta, IEEE80211_STA_ASSOC);
+		WARN_ON_ONCE(ret);
+	}
+
 	/* now keys can no longer be reached */
 	ieee80211_free_sta_keys(local, sta);
 
-- 
2.25.1