From: Michael Buesch <mb@bu3sch.de>
To: Jiri Benc <jbenc@suse.cz>
Cc: John Linville <linville@tuxdriver.com>, linux-wireless@vger.kernel.org
Subject: Re: [PATCH] mac80211: Allow sleeping in set_key op
Date: Mon, 7 May 2007 22:44:23 +0200 [thread overview]
Message-ID: <200705072244.23736.mb@bu3sch.de> (raw)
In-Reply-To: <20070507185224.45f98d56@midnight.suse.cz>
On Monday 07 May 2007 18:52:24 Jiri Benc wrote:
> On Sun, 6 May 2007 20:37:34 +0200 Michael Buesch wrote:
> > [...]
> > static void finish_sta_info_free(struct ieee80211_local *local,
> > struct sta_info *sta)
> > {
> > + sta_info_key_disable(local, sta);
> > +
> > #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
> > printk(KERN_DEBUG "%s: Removed STA " MAC_FMT "\n",
> > local->mdev->name, MAC_ARG(sta->addr));
> > @@ -213,6 +246,16 @@ static void finish_sta_info_free(struct
> > sta_info_put(sta);
> > }
>
> There is a race here. You already removed the sta from sta_hash list
> and you're not protected by any lock. Thus, it is possible to add a new
> station with the same address before finish_sta_info_free is called.
> When this happens, you call the set_key handler for the new key and
> after that you call it again with DISABLE_KEY.
>
> It's not easy to get this right. I remember also problems with
> dereferencing already freed key when I thought about possible ways to
> solve exactly this problem.
I'm not sure this race exists.
You assume that when a new key is added with the same mac as before
it overrides the old key. I think that's a bug in the driver then.
IMO the driver _must_ keep track of used key "slots" and don't
re-allocate them for new keys until disable-key is called.
And that's exactly what bcm43xx does.
IMO it's a bug in the driver, when it overrides a key that's not
DISABLEd.
Short: I don't think there is a race, and if, then it's a driver bug.
This is one of the showstopper bugs for bcm43xx to get merged.
(There are others, though).
--
Greetings Michael.
next prev parent reply other threads:[~2007-05-07 20:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-06 18:37 [PATCH] mac80211: Allow sleeping in set_key op Michael Buesch
2007-05-07 16:52 ` Jiri Benc
2007-05-07 20:44 ` Michael Buesch [this message]
2007-05-14 17:37 ` Jiri Benc
2007-05-14 17:47 ` Michael Buesch
2007-05-07 19:17 ` Michael Wu
2007-05-07 20:50 ` Michael Buesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200705072244.23736.mb@bu3sch.de \
--to=mb@bu3sch.de \
--cc=jbenc@suse.cz \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.