* [PATCH 2/5] iwlwifi: mvm: fix RCU splat in TKIP's update_key
2016-06-10 12:39 ` [PATCH 1/5] iwlwifi: mvm: increase scan timeout to 20 seconds Luca Coelho
@ 2016-06-10 12:39 ` Luca Coelho
2016-06-10 12:39 ` [PATCH 3/5] iwlwifi: mvm: fix potential NULL-dereference in iwl_mvm_reorder() Luca Coelho
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Luca Coelho @ 2016-06-10 12:39 UTC (permalink / raw)
To: linux-wireless; +Cc: Emmanuel Grumbach, Luca Coelho
From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The commit below mistakenly changed an rcu_dereference_check
to a rcu_dereference_protected which introduced the
following RCU warning:
[ INFO: suspicious RCU usage. ]
4.6.0-rc7-next-20160513-dbg-00004-g8de8b92-dirty #655 Not tainted
-------------------------------
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h:1069 suspicious rcu_dereference_protected() usage!
Call Trace:
[<ffffffff8106b836>] lockdep_rcu_suspicious+0xf7/0x100
[<ffffffffa03b2321>] iwl_mvm_get_key_sta.part.0+0x5d/0x80 [iwlmvm]
[<ffffffffa03b4acb>] iwl_mvm_update_tkip_key+0xd3/0x162 [iwlmvm]
[<ffffffffa03a2b60>] iwl_mvm_mac_update_tkip_key+0x17/0x19 [iwlmvm]
[<ffffffffa0329646>] ieee80211_tkip_decrypt_data+0x22c/0x24b [mac80211]
[<ffffffffa0318bb1>] ieee80211_crypto_tkip_decrypt+0xc5/0x110 [mac80211]
[<ffffffffa033102e>] ieee80211_rx_handlers+0x9bb/0x1fe1 [mac80211]
Fixes: 13303c0fb148 ("iwlwifi: mvm: use helpers to get iwl_mvm_sta")
Reported-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index fea4d3437..0454bfe 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -1852,12 +1852,18 @@ static struct iwl_mvm_sta *iwl_mvm_get_key_sta(struct iwl_mvm *mvm,
mvmvif->ap_sta_id != IWL_MVM_STATION_COUNT) {
u8 sta_id = mvmvif->ap_sta_id;
+ sta = rcu_dereference_check(mvm->fw_id_to_mac_id[sta_id],
+ lockdep_is_held(&mvm->mutex));
+
/*
* It is possible that the 'sta' parameter is NULL,
* for example when a GTK is removed - the sta_id will then
* be the AP ID, and no station was passed by mac80211.
*/
- return iwl_mvm_sta_from_staid_protected(mvm, sta_id);
+ if (IS_ERR_OR_NULL(sta))
+ return NULL;
+
+ return iwl_mvm_sta_from_mac80211(sta);
}
return NULL;
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/5] iwlwifi: mvm: fix potential NULL-dereference in iwl_mvm_reorder()
2016-06-10 12:39 ` [PATCH 1/5] iwlwifi: mvm: increase scan timeout to 20 seconds Luca Coelho
2016-06-10 12:39 ` [PATCH 2/5] iwlwifi: mvm: fix RCU splat in TKIP's update_key Luca Coelho
@ 2016-06-10 12:39 ` Luca Coelho
2016-06-10 12:39 ` [PATCH 4/5] iwlwifi: mvm: set the encryption type of an IGTK key Luca Coelho
2016-06-10 12:39 ` [PATCH 5/5] iwlwifi: mvm: fix a few firmware capability checks Luca Coelho
3 siblings, 0 replies; 7+ messages in thread
From: Luca Coelho @ 2016-06-10 12:39 UTC (permalink / raw)
To: linux-wireless; +Cc: Luca Coelho
From: Luca Coelho <luciano.coelho@intel.com>
We try to access sta before we check for IS_ERR_OR_NULL(), so we may
end up accessing a NULL pointer. To prevent that, move the conversion
from sta to mvm_sta below the check.
Fixes: b915c10174fb ("iwlwifi: mvm: add reorder buffer per queue")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index ac2c571..2c61516 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -581,7 +581,7 @@ static bool iwl_mvm_reorder(struct iwl_mvm *mvm,
struct iwl_rx_mpdu_desc *desc)
{
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
- struct iwl_mvm_sta *mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+ struct iwl_mvm_sta *mvm_sta;
struct iwl_mvm_baid_data *baid_data;
struct iwl_mvm_reorder_buffer *buffer;
struct sk_buff *tail;
@@ -604,6 +604,8 @@ static bool iwl_mvm_reorder(struct iwl_mvm *mvm,
if (WARN_ON(IS_ERR_OR_NULL(sta)))
return false;
+ mvm_sta = iwl_mvm_sta_from_mac80211(sta);
+
/* not a data packet */
if (!ieee80211_is_data_qos(hdr->frame_control) ||
is_multicast_ether_addr(hdr->addr1))
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 4/5] iwlwifi: mvm: set the encryption type of an IGTK key
2016-06-10 12:39 ` [PATCH 1/5] iwlwifi: mvm: increase scan timeout to 20 seconds Luca Coelho
2016-06-10 12:39 ` [PATCH 2/5] iwlwifi: mvm: fix RCU splat in TKIP's update_key Luca Coelho
2016-06-10 12:39 ` [PATCH 3/5] iwlwifi: mvm: fix potential NULL-dereference in iwl_mvm_reorder() Luca Coelho
@ 2016-06-10 12:39 ` Luca Coelho
2016-06-10 12:39 ` [PATCH 5/5] iwlwifi: mvm: fix a few firmware capability checks Luca Coelho
3 siblings, 0 replies; 7+ messages in thread
From: Luca Coelho @ 2016-06-10 12:39 UTC (permalink / raw)
To: linux-wireless; +Cc: Ayala Beker, Luca Coelho
From: Ayala Beker <ayala.beker@intel.com>
The FW expect the driver to set the encryption algorithm type when
installing the IGTK key in the HW.
Currently when installing CMAC IGTK key we don't set the algorithm type
and as a result the FW fails to calculate the MIC of multicast management
frames.
Fix it.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index 0454bfe..b23ab4a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -1961,6 +1961,14 @@ static int iwl_mvm_send_sta_igtk(struct iwl_mvm *mvm,
struct ieee80211_key_seq seq;
const u8 *pn;
+ switch (keyconf->cipher) {
+ case WLAN_CIPHER_SUITE_AES_CMAC:
+ igtk_cmd.ctrl_flags |= cpu_to_le32(STA_KEY_FLG_CCM);
+ break;
+ default:
+ return -EINVAL;
+ }
+
memcpy(igtk_cmd.IGTK, keyconf->key, keyconf->keylen);
ieee80211_get_key_rx_seq(keyconf, 0, &seq);
pn = seq.aes_cmac.pn;
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 5/5] iwlwifi: mvm: fix a few firmware capability checks
2016-06-10 12:39 ` [PATCH 1/5] iwlwifi: mvm: increase scan timeout to 20 seconds Luca Coelho
` (2 preceding siblings ...)
2016-06-10 12:39 ` [PATCH 4/5] iwlwifi: mvm: set the encryption type of an IGTK key Luca Coelho
@ 2016-06-10 12:39 ` Luca Coelho
3 siblings, 0 replies; 7+ messages in thread
From: Luca Coelho @ 2016-06-10 12:39 UTC (permalink / raw)
To: linux-wireless; +Cc: Johannes Berg, Luca Coelho
From: Johannes Berg <johannes.berg@intel.com>
My cleanup in "iwlwifi: prepare for higher API/CAPA bits" accidentally
inverted a few tests - fix them.
Fixes: 859d914c8f5c ("iwlwifi: prepare for higher API/CAPA bits")
Reported-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
---
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index e5f267b..18a8474 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -3851,8 +3851,8 @@ static int iwl_mvm_mac_get_survey(struct ieee80211_hw *hw, int idx,
if (idx != 0)
return -ENOENT;
- if (fw_has_capa(&mvm->fw->ucode_capa,
- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
+ if (!fw_has_capa(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
return -ENOENT;
mutex_lock(&mvm->mutex);
@@ -3898,8 +3898,8 @@ static void iwl_mvm_mac_sta_statistics(struct ieee80211_hw *hw,
struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
- if (fw_has_capa(&mvm->fw->ucode_capa,
- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
+ if (!fw_has_capa(&mvm->fw->ucode_capa,
+ IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS))
return;
/* if beacon filtering isn't on mac80211 does it anyway */
--
2.8.1
^ permalink raw reply related [flat|nested] 7+ messages in thread