From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 3.18 33/57] nl80211: fix per-station group key get/del and memory leak
Date: Tue, 3 Feb 2015 15:14:24 -0800 [thread overview]
Message-ID: <20150203231216.882906653@linuxfoundation.org> (raw)
In-Reply-To: <20150203231211.486950145@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream.
In case userspace attempts to obtain key information for or delete a
unicast key, this is currently erroneously rejected unless the driver
sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
was never noticed.
Fix that, and while at it fix a potential memory leak: the error path
in the get_key() function was placed after allocating a message but
didn't free it - move it to a better place. Luckily admin permissions
are needed to call this operation.
Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/nl80211.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2805,6 +2805,9 @@ static int nl80211_get_key(struct sk_buf
if (!rdev->ops->get_key)
return -EOPNOTSUPP;
+ if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
+ return -ENOENT;
+
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!msg)
return -ENOMEM;
@@ -2824,10 +2827,6 @@ static int nl80211_get_key(struct sk_buf
nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr))
goto nla_put_failure;
- if (pairwise && mac_addr &&
- !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
- return -ENOENT;
-
err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie,
get_key_callback);
@@ -2998,7 +2997,7 @@ static int nl80211_del_key(struct sk_buf
wdev_lock(dev->ieee80211_ptr);
err = nl80211_key_allowed(dev->ieee80211_ptr);
- if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr &&
+ if (key.type == NL80211_KEYTYPE_GROUP && mac_addr &&
!(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
err = -ENOENT;
next prev parent reply other threads:[~2015-02-03 23:47 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-03 23:13 [PATCH 3.18 00/57] 3.18.6-stable review Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 01/57] x86, build: replace Perl script with Shell script Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 02/57] spi: dw: Fix detecting FIFO depth Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 03/57] spi: dw-mid: fix FIFO size Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 04/57] vm: add VM_FAULT_SIGSEGV handling support Greg Kroah-Hartman
2015-02-10 8:22 ` Konstantin Khlebnikov
2015-02-10 8:22 ` Konstantin Khlebnikov
2015-02-11 3:43 ` Greg Kroah-Hartman
2015-02-11 3:43 ` Greg Kroah-Hartman
2015-02-11 3:49 ` Linus Torvalds
2015-02-11 3:49 ` Linus Torvalds
2015-02-11 4:16 ` Greg Kroah-Hartman
2015-02-11 4:16 ` Greg Kroah-Hartman
2015-02-11 5:34 ` Konstantin Khlebnikov
2015-02-11 5:34 ` Konstantin Khlebnikov
2015-02-16 9:50 ` Luis Henriques
2015-02-16 9:50 ` Luis Henriques
2015-02-16 9:50 ` Luis Henriques
2015-02-03 23:13 ` [PATCH 3.18 05/57] arc: mm: Fix build failure Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 06/57] vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 07/57] ASoC: wm8960: Fix capture sample rate from 11250 to 11025 Greg Kroah-Hartman
2015-02-03 23:13 ` [PATCH 3.18 08/57] ASoC: pcm512x: Fix DSP program selection Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 09/57] ASoC: fsl_esai: Fix incorrect xDC field width of xCCR registers Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 10/57] ASoC: soc-compress.c: fix NULL dereference Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 11/57] ASoC: simple-card: Fix crash in asoc_simple_card_unref() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 12/57] ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 13/57] udf: Release preallocation on last writeable close Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 14/57] can: kvaser_usb: Do not sleep in atomic context Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 15/57] can: kvaser_usb: Send correct context to URB completion Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 16/57] can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 17/57] can: kvaser_usb: Fix state handling upon BUS_ERROR events Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 18/57] powerpc/xmon: Fix another endiannes issue in RTAS call from xmon Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 19/57] ALSA: seq-dummy: remove deadlock-causing events on close Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 20/57] rbd: drop parent_ref in rbd_dev_unprobe() unconditionally Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 21/57] rbd: fix rbd_dev_parent_get() when parent_overlap == 0 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 22/57] USB: Add OTG PET device to TPL Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 23/57] usb-storage/SCSI: blacklist FUA on JMicron 152d:2566 USB-SATA controller Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 24/57] uas: Add no-report-opcodes quirk for Simpletech devices with id 4971:8017 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 25/57] i2c: s3c2410: fix ABBA deadlock by keeping clock prepared Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 26/57] Input: synaptics - adjust min/max for Lenovo ThinkPad X1 Carbon 2nd Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 27/57] Input: elantech - add more Fujtisu notebooks to force crc_enabled Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 28/57] Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 29/57] nfs: fix dio deadlock when O_DIRECT flag is flipped Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 30/57] NFSv4.1: Fix an Oops in nfs41_walk_client_list Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 31/57] mac80211: properly set CCK flag in radiotap Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 32/57] mac80211: only roll back station states for WDS when suspending Greg Kroah-Hartman
2015-02-03 23:14 ` Greg Kroah-Hartman [this message]
2015-02-03 23:14 ` [PATCH 3.18 34/57] pinctrl: at91: allow to have disabled gpio bank Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 35/57] ARM: mvebu: dont set the PL310 in I/O coherency mode when I/O coherency is disabled Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 36/57] dm thin: dont allow messages to be sent to a pool target in READ_ONLY or FAIL mode Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 37/57] dm cache: fix missing ERR_PTR returns and handling Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 38/57] drm/vmwgfx: Replace the hw mutex with a hw spinlock Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 41/57] spi/pxa2xx: Clear cur_chip pointer before starting next message Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 42/57] drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 43/57] regulator: core: fix race condition in regulator_put() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 44/57] drivers: net: cpsw: discard dual emac default vlan configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 45/57] drm: fix fb-helper vs MST dangling connector ptrs (v2) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 46/57] drm/i915: Only fence tiled region of object Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 47/57] drm/i915: BDW Fix Halo PCI IDs marked as ULT Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 48/57] drm/i915: Init PPGTT before context enable Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 49/57] drm/i915: fix inconsistent brightness after resume Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 50/57] quota: Switch ->get_dqblk() and ->set_dqblk() to use bytes as space units Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 51/57] memcg: remove extra newlines from memcg oom kill log Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 52/57] perf/x86/intel: Add model number for Airmont Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 53/57] perf/rapl: Fix crash in rapl_scale() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 54/57] HID: rmi: Check for additional ACM registers appended to F11 data report Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 55/57] can: c_can: end pending transmission on network stop (ifdown) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 56/57] clocksource: arch_timer: Only use the virtual counter (CNTVCT) on arm64 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.18 57/57] xen/arm/arm64: introduce xen_arch_need_swiotlb Greg Kroah-Hartman
2015-02-04 14:03 ` [PATCH 3.18 00/57] 3.18.6-stable review Guenter Roeck
2015-02-04 19:22 ` Greg Kroah-Hartman
2015-02-04 17:30 ` Shuah Khan
2015-02-04 19:22 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203231216.882906653@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.