projects / openwrt / staging / dedeckeh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
mac80211: backport upstream fixes for FragAttacks
[openwrt/staging/dedeckeh.git] / package / kernel / mac80211 / patches / ath / 303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch
diff --git a/package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch b/package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch
new file mode 100644 (file)
index 0000000..03bce42
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch
@@ -0,0 +1,54 @@
+From: Wen Gong <wgong@codeaurora.org>
+Date: Tue, 11 May 2021 20:02:55 +0200
+Subject: [PATCH] ath10k: drop MPDU which has discard flag set by firmware
+ for SDIO
+
+When the discard flag is set by the firmware for an MPDU, it should be
+dropped. This allows a mitigation for CVE-2020-24588 to be implemented
+in the firmware.
+
+Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl
+       fw_desc = &rx->fw_desc;
+       rx_desc_len = fw_desc->len;
++      if (fw_desc->u.bits.discard) {
++              ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n");
++              goto err;
++      }
++
+       /* I have not yet seen any case where num_mpdu_ranges > 1.
+        * qcacld does not seem handle that case either, so we introduce the
+        * same limitiation here as well.
+--- a/drivers/net/wireless/ath/ath10k/rx_desc.h
++++ b/drivers/net/wireless/ath/ath10k/rx_desc.h
+@@ -1282,7 +1282,19 @@ struct fw_rx_desc_base {
+ #define FW_RX_DESC_UDP              (1 << 6)
+ struct fw_rx_desc_hl {
+-      u8 info0;
++      union {
++              struct {
++              u8 discard:1,
++                 forward:1,
++                 any_err:1,
++                 dup_err:1,
++                 reserved:1,
++                 inspect:1,
++                 extension:2;
++              } bits;
++              u8 info0;
++      } u;
++
+       u8 version;
+       u8 len;
+       u8 flags;
Staging tree of dedeckeh