source: branches/chaos_calmer/package/kernel/mac80211/patches/351-0035-brcmfmac-fix-pmksa-bssid-usage.patch @ 49407

Last change on this file since 49407 was 49407, checked in by rmilecki, 12 months ago

mac80211: brcmfmac: backport changes from 2016-09-27

This fixes memory leaks, some possible crashes and bug that could cause
WARNING on every add_key/del_key call. It also replaces WARNING with
a simple message. They may still occur e.g. on station going out of
range and A-MPDU stall in the firmware.

Signed-off-by: Rafał Miłecki <rafal@…>

File size: 1.9 KB
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

    From 7703773ef1d85b40433902a8da20167331597e4a Mon Sep 17 00:00:00 2001
    From: Nicolas Iooss <>
    Date: Tue, 23 Aug 2016 11:37:17 +0200
    Subject: [PATCH] brcmfmac: fix pmksa->bssid usage
    The struct cfg80211_pmksa defines its bssid field as:
        const u8 *bssid;
    contrary to struct brcmf_pmksa, which uses:
        u8 bssid[ETH_ALEN];
    Therefore in brcmf_cfg80211_del_pmksa(), &pmksa->bssid takes the address
    of this field (of type u8**), not the one of its content (which would be
    u8*).  Remove the & operator to make brcmf_dbg("%pM") and memcmp()
    behave as expected.
    This bug have been found using a custom static checker (which checks the
    usage of %p... attributes at build time).  It has been introduced in
    commit 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code"),
    which replaced pmksa->bssid by &pmksa->bssid while refactoring the code,
    without modifying struct cfg80211_pmksa definition.
    Replace &pmk[i].bssid with pmk[i].bssid too to make the code clearer,
    this change does not affect the semantic.
    Fixes: 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code")
    Signed-off-by: Nicolas Iooss <>
    Signed-off-by: Kalle Valo <>
     drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++--
     1 file changed, 2 insertions(+), 2 deletions(-)
    a b brcmf_cfg80211_del_pmksa(struct wiphy *w 
    38043804        if (!check_vif_up(ifp->vif)) 
    38053805                return -EIO; 
    3807         brcmf_dbg(CONN, "del_pmksa - PMK bssid = %pM\n", &pmksa->bssid); 
     3807        brcmf_dbg(CONN, "del_pmksa - PMK bssid = %pM\n", pmksa->bssid); 
    38093809        npmk = le32_to_cpu(cfg->pmk_list.npmk); 
    38103810        for (i = 0; i < npmk; i++) 
    3811                 if (!memcmp(&pmksa->bssid, &pmk[i].bssid, ETH_ALEN)) 
     3811                if (!memcmp(pmksa->bssid, pmk[i].bssid, ETH_ALEN)) 
    38123812                        break; 
    38143814        if ((npmk > 0) && (i < npmk)) { 
Note: See TracBrowser for help on using the repository browser.