Hi, This broke WPA auth entirely on brcmfmac (in offload mode) and probably others, including on stable 6.2.3 and 6.3-rc1 (tested with iwd). Please revert or fix. Notes below. Reported-by: Ilya <me@xxxxxxxx> Reported-by: Janne Grunau <j@xxxxxxxxxx> #regzbot introduced: 015b8cc5e7c4d7 #regzbot monitor: https://lore.kernel.org/linux-wireless/20230124141856.356646-1-alexander@xxxxxxxxxxxxxx/ On 24/01/2023 23.18, Alexander Wetzel wrote: > Key information in wext.connect is not reset on (re)connect and can hold > data from a previous connection. > > Reset key data to avoid that drivers or mac80211 incorrectly detect a > WEP connection request and access the freed or already reused memory. > > Additionally optimize cfg80211_sme_connect() and avoid an useless > schedule of conn_work. > > Fixes: fffd0934b939 ("cfg80211: rework key operation") > Cc: stable@xxxxxxxxxxxxxxx > Link: https://lore.kernel.org/r/c80f04d2-8159-a02a-9287-26e5ec838826@xxxxxxxxxxxxxx > Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx> > > --- > V2 changes: > - updated comment > - reset more key data > > --- > net/wireless/sme.c | 31 ++++++++++++++++++++++++++----- > 1 file changed, 26 insertions(+), 5 deletions(-) > > diff --git a/net/wireless/sme.c b/net/wireless/sme.c > index 123248b2c0be..0cc841c0c59b 100644 > --- a/net/wireless/sme.c > +++ b/net/wireless/sme.c [snip] > @@ -1464,6 +1476,15 @@ int cfg80211_connect(struct cfg80211_registered_device *rdev, This if branch only fires if the connection is WEP. > } else { > if (WARN_ON(connkeys)) > return -EINVAL; > + > + /* connect can point to wdev->wext.connect which > + * can hold key data from a previous connection > + */ > + connect->key = NULL; > + connect->key_len = 0; > + connect->key_idx = 0; And these are indeed only used by WEP. > + connect->crypto.cipher_group = 0; > + connect->crypto.n_ciphers_pairwise = 0; But here you're killing the info that is used for *other* auth modes too if !WEP, breaking WPA and everything else. > } > > wdev->connect_keys = connkeys; - Hector
