lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <201003190316.28515.s.L-H@gmx.de>
Date:	Fri, 19 Mar 2010 03:16:22 +0100
From:	"Stefan Lippers-Hollmann" <s.L-H@....de>
To:	gregkh@...e.de
Cc:	linux-kernel@...r.kernel.org, Larry.Finger@...inger.net,
	johannes@...solutions.net, linville@...driver.com, mb@...sch.de,
	stable@...nel.org
Subject: Re: patch b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch added to 2.6.33-stable tree

Hi

On Friday 19 March 2010, gregkh@...e.de wrote:
> This is a note to let you know that we have just queued up the patch titled
> 
>     Subject: b43: Workaround circular locking in hw-tkip key update callback
> 
> to the 2.6.33-stable tree.  Its filename is
[...]
> From: Larry Finger <Larry.Finger@...inger.net>
> Date: Wed, 10 Mar 2010 22:10:32 -0600
> Subject: b43: Workaround circular locking in hw-tkip key update callback
> To: Greg Kroah-Hartman <gregkh@...e.de>
> Cc: Michael Buesch <mb@...sch.de>
> Message-ID: <4b986d38.aOKVIPS3U9/aYsOP%Larry.Finger@...inger.net>
> 
> From: Michael Buesch <mb@...sch.de>
> 
> commit 96869a39399269a776a94812e9fff3d38b47d838 upstream
> 
> The TKIP key update callback is called from the RX path, where the driver
> mutex is already locked. This results in a circular locking bug.
> Avoid this by removing the lock.
>     
> Johannes noted that there is a separate bug: The callback still breaks on SDIO
> hardware, because SDIO hardware access needs to sleep, but we are not allowed
> to sleep in the callback due to mac80211's RCU locking.
[...]

This patch breaks compiling 2.6.33.1 + the current stable queue (and likely 
queue-2.6.32 as well):

  CC [M]  drivers/net/wireless/b43/main.o
drivers/net/wireless/b43/main.c: In function 'b43_op_update_tkip_key':
drivers/net/wireless/b43/main.c:868: error: 'sta' undeclared (first use in this function)
drivers/net/wireless/b43/main.c:868: error: (Each undeclared identifier is reported only once
drivers/net/wireless/b43/main.c:868: error: for each function it appears in.)

as it is based on the mac80211 API change of 

Gitweb:     http://git.kernel.org/linus/b3fbdcf49f940d0703c356441e0daf045e64e076
Commit:     b3fbdcf49f940d0703c356441e0daf045e64e076
Parent:     e4fca007b06165900d0e44e8d5e251376819bf5d
Author:     Johannes Berg <johannes@...solutions.net>
AuthorDate: Thu Jan 21 11:40:47 2010 +0100
Committer:  John W. Linville <linville@...driver.com>
CommitDate: Fri Jan 22 16:08:55 2010 -0500

    mac80211: pass vif and station to update_tkip_key
    
    When a TKIP key is updated, we should pass the station
    pointer instead of just the address, since drivers can
    use that to store their own data. We also need to pass
    the virtual interface pointer.

which also touches, besides the API mac80211 tkip handling, iwl-agn as well
as b43.

Regards
	Stefan Lippers-Hollmann

-- 
> --- a/drivers/net/wireless/b43/main.c
> +++ b/drivers/net/wireless/b43/main.c
> @@ -852,19 +852,19 @@ static void b43_op_update_tkip_key(struc
>  	if (B43_WARN_ON(!modparam_hwtkip))
>  		return;
>  
> -	mutex_lock(&wl->mutex);
> -
> +	/* This is only called from the RX path through mac80211, where
> +	 * our mutex is already locked. */
> +	B43_WARN_ON(!mutex_is_locked(&wl->mutex));
>  	dev = wl->current_dev;
> -	if (!dev || b43_status(dev) < B43_STAT_INITIALIZED)
> -		goto out_unlock;
> +	B43_WARN_ON(!dev || b43_status(dev) < B43_STAT_INITIALIZED);
>  
>  	keymac_write(dev, index, NULL);	/* First zero out mac to avoid race */
>  
>  	rx_tkip_phase1_write(dev, index, iv32, phase1key);
> +	/* only pairwise TKIP keys are supported right now */
> +	if (WARN_ON(!sta))
> +		return;
>  	keymac_write(dev, index, addr);
> -
> -out_unlock:
> -	mutex_unlock(&wl->mutex);
>  }
>  
>  static void do_key_write(struct b43_wldev *dev,
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ