mac80211, mt76: add fixes for recently discovered security issues

[openwrt/staging/dedeckeh.git] / package / kernel / mac80211 / patches / subsys / 331-wifi-mac80211-flush-queues-on-STA-removal.patch

diff --git a/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch
new file mode 100644 (file)
index 0000000..00232ec
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-flush-queues-on-STA-removal.patch
@@ -0,0 +1,36 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 13 Mar 2023 11:42:12 +0100
+Subject: [PATCH] wifi: mac80211: flush queues on STA removal
+
+When we remove a station, we first make it unreachable,
+then we (must) remove its keys, and then remove the
+station itself. Depending on the hardware design, if
+we have hardware crypto at all, frames still sitting
+on hardware queues may then be transmitted without a
+valid key, possibly unencrypted or with a fixed key.
+
+Fix this by flushing the queues when removing stations
+so this cannot happen.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
+---
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1271,6 +1271,14 @@ static void __sta_info_destroy_part2(str
+               WARN_ON_ONCE(ret);
+       }
+ 
++      /* Flush queues before removing keys, as that might remove them
++       * from hardware, and then depending on the offload method, any
++       * frames sitting on hardware queues might be sent out without
++       * any encryption at all.
++       */
++      if (local->ops->set_key)
++              ieee80211_flush_queues(local, sta->sdata, false);
++
+       /* now keys can no longer be reached */
+       ieee80211_free_sta_keys(local, sta);
+