mac80211: Update to backports-5.10.42
authorHauke Mehrtens <hauke@hauke-m.de>
Sat, 5 Jun 2021 16:21:57 +0000 (18:21 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Sun, 6 Jun 2021 15:54:58 +0000 (17:54 +0200)
The removed patches were integrated upstream.

The brcmf_driver_work workqueue was removed in brcmfmac with kernel
5.10.42, the asynchronous call was covered to a synchronous call. There
is no need to wait any more.
This part was removed manually from this patch:
brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 04a260911ca0f10a0e37c487c220e1aae3623dda)

33 files changed:
package/kernel/mac80211/Makefile
package/kernel/mac80211/patches/ath/080-ath10k_thermal_config.patch
package/kernel/mac80211/patches/ath/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch [deleted file]
package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch [deleted file]
package/kernel/mac80211/patches/ath/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch [deleted file]
package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch [deleted file]
package/kernel/mac80211/patches/ath/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch [deleted file]
package/kernel/mac80211/patches/ath/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch [deleted file]
package/kernel/mac80211/patches/ath/402-ath_regd_optional.patch
package/kernel/mac80211/patches/ath/551-ath9k_ubnt_uap_plus_hsr.patch
package/kernel/mac80211/patches/ath/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch
package/kernel/mac80211/patches/brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
package/kernel/mac80211/patches/build/001-fix_build.patch
package/kernel/mac80211/patches/mwl/700-mwl8k-missing-pci-id-for-WNR854T.patch
package/kernel/mac80211/patches/mwl/940-mwl8k_init_devices_synchronously.patch
package/kernel/mac80211/patches/rt2x00/602-rt2x00-introduce-rt2x00eeprom.patch
package/kernel/mac80211/patches/subsys/100-remove-cryptoapi-dependencies.patch
package/kernel/mac80211/patches/subsys/150-disable_addr_notifier.patch
package/kernel/mac80211/patches/subsys/300-cfg80211-support-immediate-reconnect-request-hint.patch
package/kernel/mac80211/patches/subsys/301-mac80211-support-driver-based-disconnect-with-reconn.patch
package/kernel/mac80211/patches/subsys/311-net-fq_impl-drop-get_default_func-move-default-flow-.patch
package/kernel/mac80211/patches/subsys/315-mac80211-add-rx-decapsulation-offload-support.patch
package/kernel/mac80211/patches/subsys/373-mac80211-support-Rx-timestamp-calculation-for-all-pr.patch
package/kernel/mac80211/patches/subsys/380-mac80211-assure-all-fragments-are-encrypted.patch [deleted file]
package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch [deleted file]
package/kernel/mac80211/patches/subsys/382-mac80211-properly-handle-A-MSDUs-that-start-with-an-.patch [deleted file]
package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch [deleted file]
package/kernel/mac80211/patches/subsys/384-mac80211-drop-A-MSDUs-on-old-ciphers.patch [deleted file]
package/kernel/mac80211/patches/subsys/385-mac80211-add-fragment-cache-to-sta_info.patch [deleted file]
package/kernel/mac80211/patches/subsys/386-mac80211-check-defrag-PN-against-current-frame.patch [deleted file]
package/kernel/mac80211/patches/subsys/387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch [deleted file]
package/kernel/mac80211/patches/subsys/388-mac80211-do-not-accept-forward-invalid-EAPOL-frames.patch [deleted file]
package/kernel/mac80211/patches/subsys/389-mac80211-extend-protection-against-mixed-key-and-fra.patch [deleted file]

index 19cda36..dd9ec17 100644 (file)
@@ -10,10 +10,10 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=mac80211
 
-PKG_VERSION:=5.10.34-1
+PKG_VERSION:=5.10.42-1
 PKG_RELEASE:=1
-PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v5.10.34/
-PKG_HASH:=03c4ca6bf47d4e50b91b61bc2943a98c788439e56ce2b4080bc4c94141c2c15b
+PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v5.10.42/
+PKG_HASH:=6876520105240844fdb32d1dcdf2bfdea291a37a96f16c892fda3776ba714fcb
 
 PKG_SOURCE:=backports-$(PKG_VERSION).tar.xz
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/backports-$(PKG_VERSION)
index 55d48da..de6f9d9 100644 (file)
@@ -37,7 +37,7 @@
  void ath10k_thermal_event_temperature(struct ath10k *ar, int temperature);
 --- a/local-symbols
 +++ b/local-symbols
-@@ -143,6 +143,7 @@ ATH10K_SNOC=
+@@ -142,6 +142,7 @@ ATH10K_SNOC=
  ATH10K_DEBUG=
  ATH10K_DEBUGFS=
  ATH10K_SPECTRAL=
diff --git a/package/kernel/mac80211/patches/ath/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch b/package/kernel/mac80211/patches/ath/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch
deleted file mode 100644 (file)
index 0ce49b2..0000000
+++ /dev/null
@@ -1,180 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:52 +0200
-Subject: [PATCH] ath10k: add CCMP PN replay protection for fragmented
- frames for PCIe
-
-PN replay check for not fragmented frames is finished in the firmware,
-but this was not done for fragmented frames when ath10k is used with
-QCA6174/QCA6377 PCIe. mac80211 has the function
-ieee80211_rx_h_defragment() for PN replay check for fragmented frames,
-but this does not get checked with QCA6174 due to the
-ieee80211_has_protected() condition not matching the cleared Protected
-bit case.
-
-Validate the PN of received fragmented frames within ath10k when CCMP is
-used and drop the fragment if the PN is not correct (incremented by
-exactly one from the previous fragment). This applies only for
-QCA6174/QCA6377 PCIe.
-
-Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt.h
-+++ b/drivers/net/wireless/ath/ath10k/htt.h
-@@ -846,6 +846,7 @@ enum htt_security_types {
- #define ATH10K_HTT_TXRX_PEER_SECURITY_MAX 2
- #define ATH10K_TXRX_NUM_EXT_TIDS 19
-+#define ATH10K_TXRX_NON_QOS_TID 16
- enum htt_security_flags {
- #define HTT_SECURITY_TYPE_MASK 0x7F
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -1746,16 +1746,87 @@ static void ath10k_htt_rx_h_csum_offload
-       msdu->ip_summed = ath10k_htt_rx_get_csum_state(msdu);
- }
-+static u64 ath10k_htt_rx_h_get_pn(struct ath10k *ar, struct sk_buff *skb,
-+                                u16 offset,
-+                                enum htt_rx_mpdu_encrypt_type enctype)
-+{
-+      struct ieee80211_hdr *hdr;
-+      u64 pn = 0;
-+      u8 *ehdr;
-+
-+      hdr = (struct ieee80211_hdr *)(skb->data + offset);
-+      ehdr = skb->data + offset + ieee80211_hdrlen(hdr->frame_control);
-+
-+      if (enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) {
-+              pn = ehdr[0];
-+              pn |= (u64)ehdr[1] << 8;
-+              pn |= (u64)ehdr[4] << 16;
-+              pn |= (u64)ehdr[5] << 24;
-+              pn |= (u64)ehdr[6] << 32;
-+              pn |= (u64)ehdr[7] << 40;
-+      }
-+      return pn;
-+}
-+
-+static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar,
-+                                        struct sk_buff *skb,
-+                                        u16 peer_id,
-+                                        u16 offset,
-+                                        enum htt_rx_mpdu_encrypt_type enctype)
-+{
-+      struct ath10k_peer *peer;
-+      union htt_rx_pn_t *last_pn, new_pn = {0};
-+      struct ieee80211_hdr *hdr;
-+      bool more_frags;
-+      u8 tid, frag_number;
-+      u32 seq;
-+
-+      peer = ath10k_peer_find_by_id(ar, peer_id);
-+      if (!peer) {
-+              ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid peer for frag pn check\n");
-+              return false;
-+      }
-+
-+      hdr = (struct ieee80211_hdr *)(skb->data + offset);
-+      if (ieee80211_is_data_qos(hdr->frame_control))
-+              tid = ieee80211_get_tid(hdr);
-+      else
-+              tid = ATH10K_TXRX_NON_QOS_TID;
-+
-+      last_pn = &peer->frag_tids_last_pn[tid];
-+      new_pn.pn48 = ath10k_htt_rx_h_get_pn(ar, skb, offset, enctype);
-+      more_frags = ieee80211_has_morefrags(hdr->frame_control);
-+      frag_number = le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_FRAG;
-+      seq = (__le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_SEQ) >> 4;
-+
-+      if (frag_number == 0) {
-+              last_pn->pn48 = new_pn.pn48;
-+              peer->frag_tids_seq[tid] = seq;
-+      } else {
-+              if (seq != peer->frag_tids_seq[tid])
-+                      return false;
-+
-+              if (new_pn.pn48 != last_pn->pn48 + 1)
-+                      return false;
-+
-+              last_pn->pn48 = new_pn.pn48;
-+      }
-+
-+      return true;
-+}
-+
- static void ath10k_htt_rx_h_mpdu(struct ath10k *ar,
-                                struct sk_buff_head *amsdu,
-                                struct ieee80211_rx_status *status,
-                                bool fill_crypt_header,
-                                u8 *rx_hdr,
--                               enum ath10k_pkt_rx_err *err)
-+                               enum ath10k_pkt_rx_err *err,
-+                               u16 peer_id,
-+                               bool frag)
- {
-       struct sk_buff *first;
-       struct sk_buff *last;
--      struct sk_buff *msdu;
-+      struct sk_buff *msdu, *temp;
-       struct htt_rx_desc *rxd;
-       struct ieee80211_hdr *hdr;
-       enum htt_rx_mpdu_encrypt_type enctype;
-@@ -1768,6 +1839,7 @@ static void ath10k_htt_rx_h_mpdu(struct
-       bool is_decrypted;
-       bool is_mgmt;
-       u32 attention;
-+      bool frag_pn_check = true;
-       if (skb_queue_empty(amsdu))
-               return;
-@@ -1866,6 +1938,24 @@ static void ath10k_htt_rx_h_mpdu(struct
-       }
-       skb_queue_walk(amsdu, msdu) {
-+              if (frag && !fill_crypt_header && is_decrypted &&
-+                  enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2)
-+                      frag_pn_check = ath10k_htt_rx_h_frag_pn_check(ar,
-+                                                                    msdu,
-+                                                                    peer_id,
-+                                                                    0,
-+                                                                    enctype);
-+
-+              if (!frag_pn_check) {
-+                      /* Discard the fragment with invalid PN */
-+                      temp = msdu->prev;
-+                      __skb_unlink(msdu, amsdu);
-+                      dev_kfree_skb_any(msdu);
-+                      msdu = temp;
-+                      frag_pn_check = true;
-+                      continue;
-+              }
-+
-               ath10k_htt_rx_h_csum_offload(msdu);
-               ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
-                                       is_decrypted);
-@@ -2071,7 +2161,8 @@ static int ath10k_htt_rx_handle_amsdu(st
-               ath10k_htt_rx_h_unchain(ar, &amsdu, &drop_cnt, &unchain_cnt);
-       ath10k_htt_rx_h_filter(ar, &amsdu, rx_status, &drop_cnt_filter);
--      ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true, first_hdr, &err);
-+      ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true, first_hdr, &err, 0,
-+                           false);
-       msdus_to_queue = skb_queue_len(&amsdu);
-       ath10k_htt_rx_h_enqueue(ar, &amsdu, rx_status);
-@@ -3027,7 +3118,7 @@ static int ath10k_htt_rx_in_ord_ind(stru
-                       ath10k_htt_rx_h_ppdu(ar, &amsdu, status, vdev_id);
-                       ath10k_htt_rx_h_filter(ar, &amsdu, status, NULL);
-                       ath10k_htt_rx_h_mpdu(ar, &amsdu, status, false, NULL,
--                                           NULL);
-+                                           NULL, peer_id, frag);
-                       ath10k_htt_rx_h_enqueue(ar, &amsdu, status);
-                       break;
-               case -EAGAIN:
diff --git a/package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch b/package/kernel/mac80211/patches/ath/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch
deleted file mode 100644 (file)
index 7288c66..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:53 +0200
-Subject: [PATCH] ath10k: drop fragments with multicast DA for PCIe
-
-Fragmentation is not used with multicast frames. Discard unexpected
-fragments with multicast DA. This fixes CVE-2020-26145.
-
-Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -1768,6 +1768,16 @@ static u64 ath10k_htt_rx_h_get_pn(struct
-       return pn;
- }
-+static bool ath10k_htt_rx_h_frag_multicast_check(struct ath10k *ar,
-+                                               struct sk_buff *skb,
-+                                               u16 offset)
-+{
-+      struct ieee80211_hdr *hdr;
-+
-+      hdr = (struct ieee80211_hdr *)(skb->data + offset);
-+      return !is_multicast_ether_addr(hdr->addr1);
-+}
-+
- static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar,
-                                         struct sk_buff *skb,
-                                         u16 peer_id,
-@@ -1839,7 +1849,7 @@ static void ath10k_htt_rx_h_mpdu(struct
-       bool is_decrypted;
-       bool is_mgmt;
-       u32 attention;
--      bool frag_pn_check = true;
-+      bool frag_pn_check = true, multicast_check = true;
-       if (skb_queue_empty(amsdu))
-               return;
-@@ -1946,13 +1956,20 @@ static void ath10k_htt_rx_h_mpdu(struct
-                                                                     0,
-                                                                     enctype);
--              if (!frag_pn_check) {
--                      /* Discard the fragment with invalid PN */
-+              if (frag)
-+                      multicast_check = ath10k_htt_rx_h_frag_multicast_check(ar,
-+                                                                             msdu,
-+                                                                             0);
-+
-+              if (!frag_pn_check || !multicast_check) {
-+                      /* Discard the fragment with invalid PN or multicast DA
-+                       */
-                       temp = msdu->prev;
-                       __skb_unlink(msdu, amsdu);
-                       dev_kfree_skb_any(msdu);
-                       msdu = temp;
-                       frag_pn_check = true;
-+                      multicast_check = true;
-                       continue;
-               }
diff --git a/package/kernel/mac80211/patches/ath/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch b/package/kernel/mac80211/patches/ath/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch
deleted file mode 100644 (file)
index 85d9ce6..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:54 +0200
-Subject: [PATCH] ath10k: drop fragments with multicast DA for SDIO
-
-Fragmentation is not used with multicast frames. Discard unexpected
-fragments with multicast DA. This fixes CVE-2020-26145.
-
-Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -2617,6 +2617,13 @@ static bool ath10k_htt_rx_proc_rx_frag_i
-       rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len);
-       rx_desc_info = __le32_to_cpu(rx_desc->info);
-+      hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
-+
-+      if (is_multicast_ether_addr(hdr->addr1)) {
-+              /* Discard the fragment with multicast DA */
-+              goto err;
-+      }
-+
-       if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) {
-               spin_unlock_bh(&ar->data_lock);
-               return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb,
-@@ -2624,8 +2631,6 @@ static bool ath10k_htt_rx_proc_rx_frag_i
-                                                   HTT_RX_NON_TKIP_MIC);
-       }
--      hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len);
--
-       if (ieee80211_has_retry(hdr->frame_control))
-               goto err;
diff --git a/package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch b/package/kernel/mac80211/patches/ath/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch
deleted file mode 100644 (file)
index 03bce42..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:55 +0200
-Subject: [PATCH] ath10k: drop MPDU which has discard flag set by firmware
- for SDIO
-
-When the discard flag is set by the firmware for an MPDU, it should be
-dropped. This allows a mitigation for CVE-2020-24588 to be implemented
-in the firmware.
-
-Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl
-       fw_desc = &rx->fw_desc;
-       rx_desc_len = fw_desc->len;
-+      if (fw_desc->u.bits.discard) {
-+              ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n");
-+              goto err;
-+      }
-+
-       /* I have not yet seen any case where num_mpdu_ranges > 1.
-        * qcacld does not seem handle that case either, so we introduce the
-        * same limitiation here as well.
---- a/drivers/net/wireless/ath/ath10k/rx_desc.h
-+++ b/drivers/net/wireless/ath/ath10k/rx_desc.h
-@@ -1282,7 +1282,19 @@ struct fw_rx_desc_base {
- #define FW_RX_DESC_UDP              (1 << 6)
- struct fw_rx_desc_hl {
--      u8 info0;
-+      union {
-+              struct {
-+              u8 discard:1,
-+                 forward:1,
-+                 any_err:1,
-+                 dup_err:1,
-+                 reserved:1,
-+                 inspect:1,
-+                 extension:2;
-+              } bits;
-+              u8 info0;
-+      } u;
-+
-       u8 version;
-       u8 len;
-       u8 flags;
diff --git a/package/kernel/mac80211/patches/ath/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch b/package/kernel/mac80211/patches/ath/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch
deleted file mode 100644 (file)
index da9d680..0000000
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:56 +0200
-Subject: [PATCH] ath10k: Fix TKIP Michael MIC verification for PCIe
-
-TKIP Michael MIC was not verified properly for PCIe cases since the
-validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did
-not get fully executed due to unexpected flag values in
-ieee80211_rx_status.
-
-Fix this by setting the flags property to meet mac80211 expectations for
-performing Michael MIC validation there. This fixes CVE-2020-26141. It
-does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed
-MIC verification case. This applies only to QCA6174/QCA9377 PCIe.
-
-Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -1974,6 +1974,11 @@ static void ath10k_htt_rx_h_mpdu(struct
-               }
-               ath10k_htt_rx_h_csum_offload(msdu);
-+
-+              if (frag && !fill_crypt_header &&
-+                  enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
-+                      status->flag &= ~RX_FLAG_MMIC_STRIPPED;
-+
-               ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
-                                       is_decrypted);
-@@ -1991,6 +1996,11 @@ static void ath10k_htt_rx_h_mpdu(struct
-               hdr = (void *)msdu->data;
-               hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
-+
-+              if (frag && !fill_crypt_header &&
-+                  enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
-+                      status->flag &= ~RX_FLAG_IV_STRIPPED &
-+                                      ~RX_FLAG_MMIC_STRIPPED;
-       }
- }
diff --git a/package/kernel/mac80211/patches/ath/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch b/package/kernel/mac80211/patches/ath/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch
deleted file mode 100644 (file)
index 0bdbed7..0000000
+++ /dev/null
@@ -1,109 +0,0 @@
-From: Sriram R <srirrama@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:57 +0200
-Subject: [PATCH] ath10k: Validate first subframe of A-MSDU before
- processing the list
-
-In certain scenarios a normal MSDU can be received as an A-MSDU when
-the A-MSDU present bit of a QoS header gets flipped during reception.
-Since this bit is unauthenticated, the hardware crypto engine can pass
-the frame to the driver without any error indication.
-
-This could result in processing unintended subframes collected in the
-A-MSDU list. Hence, validate A-MSDU list by checking if the first frame
-has a valid subframe header.
-
-Comparing the non-aggregated MSDU and an A-MSDU, the fields of the first
-subframe DA matches the LLC/SNAP header fields of a normal MSDU.
-In order to avoid processing such frames, add a validation to
-filter such A-MSDU frames where the first subframe header DA matches
-with the LLC/SNAP header pattern.
-
-Tested-on: QCA9984 hw1.0 PCI 10.4-3.10-00047
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Sriram R <srirrama@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/drivers/net/wireless/ath/ath10k/htt_rx.c
-+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
-@@ -2108,14 +2108,62 @@ static void ath10k_htt_rx_h_unchain(stru
-       ath10k_unchain_msdu(amsdu, unchain_cnt);
- }
-+static bool ath10k_htt_rx_validate_amsdu(struct ath10k *ar,
-+                                       struct sk_buff_head *amsdu)
-+{
-+      u8 *subframe_hdr;
-+      struct sk_buff *first;
-+      bool is_first, is_last;
-+      struct htt_rx_desc *rxd;
-+      struct ieee80211_hdr *hdr;
-+      size_t hdr_len, crypto_len;
-+      enum htt_rx_mpdu_encrypt_type enctype;
-+      int bytes_aligned = ar->hw_params.decap_align_bytes;
-+
-+      first = skb_peek(amsdu);
-+
-+      rxd = (void *)first->data - sizeof(*rxd);
-+      hdr = (void *)rxd->rx_hdr_status;
-+
-+      is_first = !!(rxd->msdu_end.common.info0 &
-+                    __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU));
-+      is_last = !!(rxd->msdu_end.common.info0 &
-+                   __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU));
-+
-+      /* Return in case of non-aggregated msdu */
-+      if (is_first && is_last)
-+              return true;
-+
-+      /* First msdu flag is not set for the first msdu of the list */
-+      if (!is_first)
-+              return false;
-+
-+      enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
-+                   RX_MPDU_START_INFO0_ENCRYPT_TYPE);
-+
-+      hdr_len = ieee80211_hdrlen(hdr->frame_control);
-+      crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
-+
-+      subframe_hdr = (u8 *)hdr + round_up(hdr_len, bytes_aligned) +
-+                     crypto_len;
-+
-+      /* Validate if the amsdu has a proper first subframe.
-+       * There are chances a single msdu can be received as amsdu when
-+       * the unauthenticated amsdu flag of a QoS header
-+       * gets flipped in non-SPP AMSDU's, in such cases the first
-+       * subframe has llc/snap header in place of a valid da.
-+       * return false if the da matches rfc1042 pattern
-+       */
-+      if (ether_addr_equal(subframe_hdr, rfc1042_header))
-+              return false;
-+
-+      return true;
-+}
-+
- static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar,
-                                       struct sk_buff_head *amsdu,
-                                       struct ieee80211_rx_status *rx_status)
- {
--      /* FIXME: It might be a good idea to do some fuzzy-testing to drop
--       * invalid/dangerous frames.
--       */
--
-       if (!rx_status->freq) {
-               ath10k_dbg(ar, ATH10K_DBG_HTT, "no channel configured; ignoring frame(s)!\n");
-               return false;
-@@ -2126,6 +2174,11 @@ static bool ath10k_htt_rx_amsdu_allowed(
-               return false;
-       }
-+      if (!ath10k_htt_rx_validate_amsdu(ar, amsdu)) {
-+              ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid amsdu received\n");
-+              return false;
-+      }
-+
-       return true;
- }
index 3c9180b..bf87d35 100644 (file)
@@ -82,7 +82,7 @@
        help
 --- a/local-symbols
 +++ b/local-symbols
-@@ -86,6 +86,7 @@ ADM8211=
+@@ -85,6 +85,7 @@ ADM8211=
  ATH_COMMON=
  WLAN_VENDOR_ATH=
  ATH_DEBUG=
index cd2bdbf..acb9ad4 100644 (file)
  
 --- a/local-symbols
 +++ b/local-symbols
-@@ -113,6 +113,7 @@ ATH9K_WOW=
+@@ -112,6 +112,7 @@ ATH9K_WOW=
  ATH9K_RFKILL=
  ATH9K_CHANNEL_CONTEXT=
  ATH9K_PCOEM=
index 5e74687..ce8effe 100644 (file)
@@ -114,7 +114,7 @@ v13:
  ath10k_core-$(CONFIG_DEV_COREDUMP) += coredump.o
 --- a/local-symbols
 +++ b/local-symbols
-@@ -146,6 +146,7 @@ ATH10K_DEBUG=
+@@ -145,6 +145,7 @@ ATH10K_DEBUG=
  ATH10K_DEBUGFS=
  ATH10K_SPECTRAL=
  ATH10K_THERMAL=
@@ -456,7 +456,7 @@ v13:
  {
 --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
 +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-@@ -4591,6 +4591,8 @@ static const struct wmi_ops wmi_tlv_ops
+@@ -4594,6 +4594,8 @@ static const struct wmi_ops wmi_tlv_ops
        .gen_echo = ath10k_wmi_tlv_op_gen_echo,
        .gen_vdev_spectral_conf = ath10k_wmi_tlv_op_gen_vdev_spectral_conf,
        .gen_vdev_spectral_enable = ath10k_wmi_tlv_op_gen_vdev_spectral_enable,
index dc2295d..c9730e2 100644 (file)
@@ -11,16 +11,6 @@ module loads successfully.
 Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
 ---
 
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1557,6 +1557,7 @@ int __init brcmf_core_init(void)
- {
-       if (!schedule_work(&brcmf_driver_work))
-               return -EBUSY;
-+      flush_work(&brcmf_driver_work);
-       return 0;
- }
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
 @@ -431,6 +431,7 @@ struct brcmf_fw {
index e57ca19..8f63d36 100644 (file)
@@ -55,8 +55,8 @@
 -                              echo ""                                                 ;\
 -                      done                                                            \
 -              ) > Kconfig.kernel                                                      ;\
--              kver=$$($(MAKE) --no-print-directory -C $(KLIB_BUILD) kernelversion |   \
--                      sed 's/^\(\([3-5]\|2\.6\)\.[0-9]\+\).*/\1/;t;d')                ;\
+-              kver=$$($(MAKE) --no-print-directory -C $(KLIB_BUILD) M=$(BACKPORT_DIR) \
+-                      kernelversion | sed 's/^\(\([3-5]\|2\.6\)\.[0-9]\+\).*/\1/;t;d');\
 -              test "$$kver" != "" || echo "Kernel version parse failed!"              ;\
 -              test "$$kver" != ""                                                     ;\
 -              kvers="$$(seq 14 39 | sed 's/^/2.6./')"                                 ;\
 +      @echo " done."
 +
 +Kconfig.versions: Kconfig.kernel
-+      @kver=$$($(MAKE) --no-print-directory -C $(KLIB_BUILD) kernelversion |  \
-+              sed 's/^\(\([3-5]\|2\.6\)\.[0-9]\+\).*/\1/;t;d')                ;\
++      @kver=$$($(MAKE) --no-print-directory -C $(KLIB_BUILD) M=$(BACKPORT_DIR) \
++              kernelversion | sed 's/^\(\([3-5]\|2\.6\)\.[0-9]\+\).*/\1/;t;d');\
 +      test "$$kver" != "" || echo "Kernel version parse failed!"              ;\
 +      test "$$kver" != ""                                                     ;\
 +      kvers="$$(seq 14 39 | sed 's/^/2.6./')"                                 ;\
index cfa40e1..d358cfe 100644 (file)
@@ -1,6 +1,6 @@
 --- a/drivers/net/wireless/marvell/mwl8k.c
 +++ b/drivers/net/wireless/marvell/mwl8k.c
-@@ -5694,6 +5694,7 @@ MODULE_FIRMWARE("mwl8k/fmimage_8366.fw")
+@@ -5695,6 +5695,7 @@ MODULE_FIRMWARE("mwl8k/fmimage_8366.fw")
  MODULE_FIRMWARE(MWL8K_8366_AP_FW(MWL8K_8366_AP_FW_API));
  
  static const struct pci_device_id mwl8k_pci_id_table[] = {
index f3130f7..a35cf18 100644 (file)
@@ -1,6 +1,6 @@
 --- a/drivers/net/wireless/marvell/mwl8k.c
 +++ b/drivers/net/wireless/marvell/mwl8k.c
-@@ -6279,6 +6279,8 @@ static int mwl8k_probe(struct pci_dev *p
+@@ -6280,6 +6280,8 @@ static int mwl8k_probe(struct pci_dev *p
  
        priv->running_bsses = 0;
  
@@ -9,7 +9,7 @@
        return rc;
  
  err_stop_firmware:
-@@ -6312,8 +6314,6 @@ static void mwl8k_remove(struct pci_dev
+@@ -6313,8 +6315,6 @@ static void mwl8k_remove(struct pci_dev
                return;
        priv = hw->priv;
  
index 1c52132..e74d9a9 100644 (file)
@@ -1,6 +1,6 @@
 --- a/local-symbols
 +++ b/local-symbols
-@@ -333,6 +333,7 @@ RT2X00_LIB_FIRMWARE=
+@@ -332,6 +332,7 @@ RT2X00_LIB_FIRMWARE=
  RT2X00_LIB_CRYPTO=
  RT2X00_LIB_LEDS=
  RT2X00_LIB_DEBUGFS=
index ec6ecbc..ca02dfb 100644 (file)
  #endif /* AES_GCM_H */
 --- a/net/mac80211/wpa.c
 +++ b/net/mac80211/wpa.c
-@@ -311,7 +311,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
+@@ -312,7 +312,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
  }
  
  
  {
        __le16 mask_fc;
        int a4_included, mgmt;
-@@ -341,14 +342,8 @@ static void ccmp_special_blocks(struct s
+@@ -342,14 +343,8 @@ static void ccmp_special_blocks(struct s
        else
                qos_tid = 0;
  
  
        /* Nonce: Nonce Flags | A2 | PN
         * Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
-@@ -356,6 +351,8 @@ static void ccmp_special_blocks(struct s
+@@ -357,6 +352,8 @@ static void ccmp_special_blocks(struct s
        b_0[1] = qos_tid | (mgmt << 4);
        memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
        memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
  
        /* AAD (extra authenticate-only data) / masked 802.11 header
         * FC | A1 | A2 | A3 | SC | [A4] | [QC] */
-@@ -412,7 +409,7 @@ static int ccmp_encrypt_skb(struct ieee8
+@@ -413,7 +410,7 @@ static int ccmp_encrypt_skb(struct ieee8
        u8 *pos;
        u8 pn[6];
        u64 pn64;
        u8 b_0[AES_BLOCK_SIZE];
  
        if (info->control.hw_key &&
-@@ -467,9 +464,11 @@ static int ccmp_encrypt_skb(struct ieee8
+@@ -468,9 +465,11 @@ static int ccmp_encrypt_skb(struct ieee8
                return 0;
  
        pos += IEEE80211_CCMP_HDR_LEN;
  }
  
  
-@@ -542,13 +541,13 @@ ieee80211_crypto_ccmp_decrypt(struct iee
+@@ -543,13 +542,13 @@ ieee80211_crypto_ccmp_decrypt(struct iee
                        u8 aad[2 * AES_BLOCK_SIZE];
                        u8 b_0[AES_BLOCK_SIZE];
                        /* hardware didn't decrypt/verify MIC */
                                return RX_DROP_UNUSABLE;
                }
  
-@@ -643,7 +642,7 @@ static int gcmp_encrypt_skb(struct ieee8
+@@ -646,7 +645,7 @@ static int gcmp_encrypt_skb(struct ieee8
        u8 *pos;
        u8 pn[6];
        u64 pn64;
        u8 j_0[AES_BLOCK_SIZE];
  
        if (info->control.hw_key &&
-@@ -700,8 +699,10 @@ static int gcmp_encrypt_skb(struct ieee8
+@@ -703,8 +702,10 @@ static int gcmp_encrypt_skb(struct ieee8
  
        pos += IEEE80211_GCMP_HDR_LEN;
        gcmp_special_blocks(skb, pn, j_0, aad);
  }
  
  ieee80211_tx_result
-@@ -1128,9 +1129,9 @@ ieee80211_crypto_aes_gmac_encrypt(struct
+@@ -1133,9 +1134,9 @@ ieee80211_crypto_aes_gmac_encrypt(struct
        struct ieee80211_key *key = tx->key;
        struct ieee80211_mmie_16 *mmie;
        struct ieee80211_hdr *hdr;
  
        if (WARN_ON(skb_queue_len(&tx->skbs) != 1))
                return TX_DROP;
-@@ -1176,7 +1177,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct
+@@ -1181,7 +1182,7 @@ ieee80211_crypto_aes_gmac_decrypt(struct
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_key *key = rx->key;
        struct ieee80211_mmie_16 *mmie;
index 9589235..8d08662 100644 (file)
@@ -18,7 +18,7 @@
  static int ieee80211_ifa6_changed(struct notifier_block *nb,
                                  unsigned long data, void *arg)
  {
-@@ -1312,14 +1312,14 @@ int ieee80211_register_hw(struct ieee802
+@@ -1315,14 +1315,14 @@ int ieee80211_register_hw(struct ieee802
  
        rtnl_unlock();
  
@@ -35,7 +35,7 @@
        local->ifa6_notifier.notifier_call = ieee80211_ifa6_changed;
        result = register_inet6addr_notifier(&local->ifa6_notifier);
        if (result)
-@@ -1328,13 +1328,13 @@ int ieee80211_register_hw(struct ieee802
+@@ -1331,13 +1331,13 @@ int ieee80211_register_hw(struct ieee802
  
        return 0;
  
@@ -52,7 +52,7 @@
   fail_ifa:
  #endif
        wiphy_unregister(local->hw.wiphy);
-@@ -1362,10 +1362,10 @@ void ieee80211_unregister_hw(struct ieee
+@@ -1365,10 +1365,10 @@ void ieee80211_unregister_hw(struct ieee
        tasklet_kill(&local->tx_pending_tasklet);
        tasklet_kill(&local->tasklet);
  
index cbc2a2e..7c44242 100644 (file)
@@ -55,7 +55,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        __NL80211_ATTR_AFTER_LAST,
 --- a/net/mac80211/mlme.c
 +++ b/net/mac80211/mlme.c
-@@ -2729,7 +2729,7 @@ static void ieee80211_report_disconnect(
+@@ -2734,7 +2734,7 @@ static void ieee80211_report_disconnect(
        };
  
        if (tx)
@@ -64,7 +64,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        else
                cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
  
-@@ -4719,7 +4719,8 @@ void ieee80211_mgd_quiesce(struct ieee80
+@@ -4724,7 +4724,8 @@ void ieee80211_mgd_quiesce(struct ieee80
                if (ifmgd->auth_data)
                        ieee80211_destroy_auth_data(sdata, false);
                cfg80211_tx_mlme_mgmt(sdata->dev, frame_buf,
index 59a154a..31621eb 100644 (file)
@@ -34,7 +34,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
   * @vif: &struct ieee80211_vif pointer from the add_interface callback.
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
-@@ -461,7 +461,9 @@ struct ieee80211_if_managed {
+@@ -450,7 +450,9 @@ struct ieee80211_if_managed {
        unsigned long probe_timeout;
        int probe_send_count;
        bool nullfunc_failed;
@@ -47,7 +47,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        struct ieee80211_mgd_auth_data *auth_data;
 --- a/net/mac80211/mlme.c
 +++ b/net/mac80211/mlme.c
-@@ -2720,7 +2720,7 @@ EXPORT_SYMBOL(ieee80211_ap_probereq_get)
+@@ -2725,7 +2725,7 @@ EXPORT_SYMBOL(ieee80211_ap_probereq_get)
  
  static void ieee80211_report_disconnect(struct ieee80211_sub_if_data *sdata,
                                        const u8 *buf, size_t len, bool tx,
@@ -56,7 +56,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  {
        struct ieee80211_event event = {
                .type = MLME_EVENT,
-@@ -2729,7 +2729,7 @@ static void ieee80211_report_disconnect(
+@@ -2734,7 +2734,7 @@ static void ieee80211_report_disconnect(
        };
  
        if (tx)
@@ -65,7 +65,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        else
                cfg80211_rx_mlme_mgmt(sdata->dev, buf, len);
  
-@@ -2751,13 +2751,18 @@ static void __ieee80211_disconnect(struc
+@@ -2756,13 +2756,18 @@ static void __ieee80211_disconnect(struc
  
        tx = !sdata->csa_block_tx;
  
@@ -89,7 +89,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
                               tx, frame_buf);
        mutex_lock(&local->mtx);
        sdata->vif.csa_active = false;
-@@ -2770,7 +2775,9 @@ static void __ieee80211_disconnect(struc
+@@ -2775,7 +2780,9 @@ static void __ieee80211_disconnect(struc
        mutex_unlock(&local->mtx);
  
        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
@@ -100,7 +100,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  
        sdata_unlock(sdata);
  }
-@@ -2789,6 +2796,13 @@ static void ieee80211_beacon_connection_
+@@ -2794,6 +2801,13 @@ static void ieee80211_beacon_connection_
                sdata_info(sdata, "Connection to AP %pM lost\n",
                           ifmgd->bssid);
                __ieee80211_disconnect(sdata);
@@ -114,7 +114,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        } else {
                ieee80211_mgd_probe_ap(sdata, true);
        }
-@@ -2827,6 +2841,21 @@ void ieee80211_connection_loss(struct ie
+@@ -2832,6 +2846,21 @@ void ieee80211_connection_loss(struct ie
  }
  EXPORT_SYMBOL(ieee80211_connection_loss);
  
@@ -136,7 +136,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  
  static void ieee80211_destroy_auth_data(struct ieee80211_sub_if_data *sdata,
                                        bool assoc)
-@@ -3130,7 +3159,7 @@ static void ieee80211_rx_mgmt_deauth(str
+@@ -3135,7 +3164,7 @@ static void ieee80211_rx_mgmt_deauth(str
                ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
  
                ieee80211_report_disconnect(sdata, (u8 *)mgmt, len, false,
@@ -145,7 +145,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
                return;
        }
  
-@@ -3179,7 +3208,8 @@ static void ieee80211_rx_mgmt_disassoc(s
+@@ -3184,7 +3213,8 @@ static void ieee80211_rx_mgmt_disassoc(s
  
        ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
  
@@ -155,7 +155,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  }
  
  static void ieee80211_get_rates(struct ieee80211_supported_band *sband,
-@@ -4199,7 +4229,8 @@ static void ieee80211_rx_mgmt_beacon(str
+@@ -4204,7 +4234,8 @@ static void ieee80211_rx_mgmt_beacon(str
                                       true, deauth_buf);
                ieee80211_report_disconnect(sdata, deauth_buf,
                                            sizeof(deauth_buf), true,
@@ -165,7 +165,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
                return;
        }
  
-@@ -4344,7 +4375,7 @@ static void ieee80211_sta_connection_los
+@@ -4349,7 +4380,7 @@ static void ieee80211_sta_connection_los
                               tx, frame_buf);
  
        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
@@ -174,7 +174,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  }
  
  static int ieee80211_auth(struct ieee80211_sub_if_data *sdata)
-@@ -5434,7 +5465,8 @@ int ieee80211_mgd_auth(struct ieee80211_
+@@ -5439,7 +5470,8 @@ int ieee80211_mgd_auth(struct ieee80211_
  
                ieee80211_report_disconnect(sdata, frame_buf,
                                            sizeof(frame_buf), true,
@@ -184,7 +184,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        }
  
        sdata_info(sdata, "authenticate with %pM\n", req->bss->bssid);
-@@ -5506,7 +5538,8 @@ int ieee80211_mgd_assoc(struct ieee80211
+@@ -5511,7 +5543,8 @@ int ieee80211_mgd_assoc(struct ieee80211
  
                ieee80211_report_disconnect(sdata, frame_buf,
                                            sizeof(frame_buf), true,
@@ -194,7 +194,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
        }
  
        if (ifmgd->auth_data && !ifmgd->auth_data->done) {
-@@ -5805,7 +5838,7 @@ int ieee80211_mgd_deauth(struct ieee8021
+@@ -5810,7 +5843,7 @@ int ieee80211_mgd_deauth(struct ieee8021
                ieee80211_destroy_auth_data(sdata, false);
                ieee80211_report_disconnect(sdata, frame_buf,
                                            sizeof(frame_buf), true,
@@ -203,7 +203,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
  
                return 0;
        }
-@@ -5825,7 +5858,7 @@ int ieee80211_mgd_deauth(struct ieee8021
+@@ -5830,7 +5863,7 @@ int ieee80211_mgd_deauth(struct ieee8021
                ieee80211_destroy_assoc_data(sdata, false, true);
                ieee80211_report_disconnect(sdata, frame_buf,
                                            sizeof(frame_buf), true,
@@ -212,7 +212,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
                return 0;
        }
  
-@@ -5840,7 +5873,7 @@ int ieee80211_mgd_deauth(struct ieee8021
+@@ -5845,7 +5878,7 @@ int ieee80211_mgd_deauth(struct ieee8021
                                       req->reason_code, tx, frame_buf);
                ieee80211_report_disconnect(sdata, frame_buf,
                                            sizeof(frame_buf), true,
@@ -221,7 +221,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
                return 0;
        }
  
-@@ -5873,7 +5906,7 @@ int ieee80211_mgd_disassoc(struct ieee80
+@@ -5878,7 +5911,7 @@ int ieee80211_mgd_disassoc(struct ieee80
                               frame_buf);
  
        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
index f8748ef..33dbb5e 100644 (file)
@@ -68,7 +68,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  static int fq_init(struct fq *fq, int flows_cnt)
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
-@@ -857,7 +857,6 @@ enum txq_info_flags {
+@@ -846,7 +846,6 @@ enum txq_info_flags {
   */
  struct txq_info {
        struct fq_tin tin;
index 09407f3..b8bb293 100644 (file)
@@ -132,7 +132,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  #endif /* __MAC80211_DRIVER_OPS */
 --- a/net/mac80211/iface.c
 +++ b/net/mac80211/iface.c
-@@ -839,7 +839,7 @@ static const struct net_device_ops ieee8
+@@ -835,7 +835,7 @@ static const struct net_device_ops ieee8
  
  };
  
@@ -141,7 +141,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  {
        switch (iftype) {
        /* P2P GO and client are mapped to AP/STATION types */
-@@ -859,7 +859,7 @@ static bool ieee80211_set_sdata_offload_
+@@ -855,7 +855,7 @@ static bool ieee80211_set_sdata_offload_
        flags = sdata->vif.offload_flags;
  
        if (ieee80211_hw_check(&local->hw, SUPPORTS_TX_ENCAP_OFFLOAD) &&
@@ -150,7 +150,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
                flags |= IEEE80211_OFFLOAD_ENCAP_ENABLED;
  
                if (!ieee80211_hw_check(&local->hw, SUPPORTS_TX_FRAG) &&
-@@ -872,10 +872,21 @@ static bool ieee80211_set_sdata_offload_
+@@ -868,10 +868,21 @@ static bool ieee80211_set_sdata_offload_
                flags &= ~IEEE80211_OFFLOAD_ENCAP_ENABLED;
        }
  
@@ -172,7 +172,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        return true;
  }
  
-@@ -893,7 +904,7 @@ static void ieee80211_set_vif_encap_ops(
+@@ -889,7 +900,7 @@ static void ieee80211_set_vif_encap_ops(
        }
  
        if (!ieee80211_hw_check(&local->hw, SUPPORTS_TX_ENCAP_OFFLOAD) ||
@@ -183,7 +183,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        enabled = bss->vif.offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED;
 --- a/net/mac80211/rx.c
 +++ b/net/mac80211/rx.c
-@@ -4114,7 +4114,9 @@ void ieee80211_check_fast_rx(struct sta_
+@@ -4198,7 +4198,9 @@ void ieee80211_check_fast_rx(struct sta_
                .vif_type = sdata->vif.type,
                .control_port_protocol = sdata->control_port_protocol,
        }, *old, *new = NULL;
@@ -193,7 +193,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  
        /* use sparse to check that we don't return without updating */
        __acquire(check_fast_rx);
-@@ -4227,6 +4229,17 @@ void ieee80211_check_fast_rx(struct sta_
+@@ -4311,6 +4313,17 @@ void ieee80211_check_fast_rx(struct sta_
        if (assign)
                new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
  
@@ -211,7 +211,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        spin_lock_bh(&sta->lock);
        old = rcu_dereference_protected(sta->fast_rx, true);
        rcu_assign_pointer(sta->fast_rx, new);
-@@ -4273,6 +4286,108 @@ void ieee80211_check_fast_rx_iface(struc
+@@ -4357,6 +4370,108 @@ void ieee80211_check_fast_rx_iface(struc
        mutex_unlock(&local->sta_mtx);
  }
  
@@ -320,7 +320,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
                                     struct ieee80211_fast_rx *fast_rx)
  {
-@@ -4293,9 +4408,6 @@ static bool ieee80211_invoke_fast_rx(str
+@@ -4377,9 +4492,6 @@ static bool ieee80211_invoke_fast_rx(str
        } addrs __aligned(2);
        struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
  
@@ -330,7 +330,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        /* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
         * to a common data structure; drivers can implement that per queue
         * but we don't have that information in mac80211
-@@ -4369,32 +4481,6 @@ static bool ieee80211_invoke_fast_rx(str
+@@ -4453,32 +4565,6 @@ static bool ieee80211_invoke_fast_rx(str
            pskb_trim(skb, skb->len - fast_rx->icv_len))
                goto drop;
  
@@ -363,7 +363,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        if (rx->key && !ieee80211_has_protected(hdr->frame_control))
                goto drop;
  
-@@ -4406,12 +4492,6 @@ static bool ieee80211_invoke_fast_rx(str
+@@ -4490,12 +4576,6 @@ static bool ieee80211_invoke_fast_rx(str
                return true;
        }
  
@@ -376,7 +376,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        /* do the header conversion - first grab the addresses */
        ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
        ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
-@@ -4420,62 +4500,14 @@ static bool ieee80211_invoke_fast_rx(str
+@@ -4504,62 +4584,14 @@ static bool ieee80211_invoke_fast_rx(str
        /* push the addresses in front */
        memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
  
@@ -443,7 +443,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
        stats->dropped++;
        return true;
  }
-@@ -4529,6 +4561,47 @@ static bool ieee80211_prepare_and_rx_han
+@@ -4613,6 +4645,47 @@ static bool ieee80211_prepare_and_rx_han
        return true;
  }
  
@@ -491,7 +491,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
  /*
   * This is the actual Rx frames handler. as it belongs to Rx path it must
   * be called with rcu_read_lock protection.
-@@ -4766,15 +4839,20 @@ void ieee80211_rx_list(struct ieee80211_
+@@ -4850,15 +4923,20 @@ void ieee80211_rx_list(struct ieee80211_
         * if it was previously present.
         * Also, frames with less than 16 bytes are dropped.
         */
index c432d77..117fb35 100644 (file)
@@ -15,7 +15,7 @@ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
-@@ -1600,13 +1600,8 @@ ieee80211_have_rx_timestamp(struct ieee8
+@@ -1587,13 +1587,8 @@ ieee80211_have_rx_timestamp(struct ieee8
  {
        WARN_ON_ONCE(status->flag & RX_FLAG_MACTIME_START &&
                     status->flag & RX_FLAG_MACTIME_END);
diff --git a/package/kernel/mac80211/patches/subsys/380-mac80211-assure-all-fragments-are-encrypted.patch b/package/kernel/mac80211/patches/subsys/380-mac80211-assure-all-fragments-are-encrypted.patch
deleted file mode 100644 (file)
index 6939845..0000000
+++ /dev/null
@@ -1,69 +0,0 @@
-From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Date: Tue, 11 May 2021 20:02:42 +0200
-Subject: [PATCH] mac80211: assure all fragments are encrypted
-
-Do not mix plaintext and encrypted fragments in protected Wi-Fi
-networks. This fixes CVE-2020-26147.
-
-Previously, an attacker was able to first forward a legitimate encrypted
-fragment towards a victim, followed by a plaintext fragment. The
-encrypted and plaintext fragment would then be reassembled. For further
-details see Section 6.3 and Appendix D in the paper "Fragment and Forge:
-Breaking Wi-Fi Through Frame Aggregation and Fragmentation".
-
-Because of this change there are now two equivalent conditions in the
-code to determine if a received fragment requires sequential PNs, so we
-also move this test to a separate function to make the code easier to
-maintain.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2204,6 +2204,16 @@ ieee80211_reassemble_find(struct ieee802
-       return NULL;
- }
-+static bool requires_sequential_pn(struct ieee80211_rx_data *rx, __le16 fc)
-+{
-+      return rx->key &&
-+              (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
-+               rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
-+               rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
-+               rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
-+              ieee80211_has_protected(fc);
-+}
-+
- static ieee80211_rx_result debug_noinline
- ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
- {
-@@ -2248,12 +2258,7 @@ ieee80211_rx_h_defragment(struct ieee802
-               /* This is the first fragment of a new frame. */
-               entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
-                                                rx->seqno_idx, &(rx->skb));
--              if (rx->key &&
--                  (rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP ||
--                   rx->key->conf.cipher == WLAN_CIPHER_SUITE_CCMP_256 ||
--                   rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP ||
--                   rx->key->conf.cipher == WLAN_CIPHER_SUITE_GCMP_256) &&
--                  ieee80211_has_protected(fc)) {
-+              if (requires_sequential_pn(rx, fc)) {
-                       int queue = rx->security_idx;
-                       /* Store CCMP/GCMP PN so that we can verify that the
-@@ -2295,11 +2300,7 @@ ieee80211_rx_h_defragment(struct ieee802
-               u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
-               int queue;
--              if (!rx->key ||
--                  (rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP &&
--                   rx->key->conf.cipher != WLAN_CIPHER_SUITE_CCMP_256 &&
--                   rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP &&
--                   rx->key->conf.cipher != WLAN_CIPHER_SUITE_GCMP_256))
-+              if (!requires_sequential_pn(rx, fc))
-                       return RX_DROP_UNUSABLE;
-               memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
-               for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
diff --git a/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch b/package/kernel/mac80211/patches/subsys/381-mac80211-prevent-mixed-key-and-fragment-cache-attack.patch
deleted file mode 100644 (file)
index de0f89a..0000000
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Date: Tue, 11 May 2021 20:02:43 +0200
-Subject: [PATCH] mac80211: prevent mixed key and fragment cache attacks
-
-Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
-cache attacks (CVE-2020-24586). This is accomplished by assigning a
-unique color to every key (per interface) and using this to track which
-key was used to decrypt a fragment. When reassembling frames, it is
-now checked whether all fragments were decrypted using the same key.
-
-To assure that fragment cache attacks are also prevented, the ID that is
-assigned to keys is unique even over (re)associations and (re)connects.
-This means fragments separated by a (re)association or (re)connect will
-not be reassembled. Because mac80211 now also prevents the reassembly of
-mixed encrypted and plaintext fragments, all cache attacks are prevented.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -97,6 +97,7 @@ struct ieee80211_fragment_entry {
-       u8 rx_queue;
-       bool check_sequential_pn; /* needed for CCMP/GCMP */
-       u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
-+      unsigned int key_color;
- };
---- a/net/mac80211/key.c
-+++ b/net/mac80211/key.c
-@@ -799,6 +799,7 @@ int ieee80211_key_link(struct ieee80211_
-                      struct ieee80211_sub_if_data *sdata,
-                      struct sta_info *sta)
- {
-+      static atomic_t key_color = ATOMIC_INIT(0);
-       struct ieee80211_key *old_key;
-       int idx = key->conf.keyidx;
-       bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
-@@ -850,6 +851,12 @@ int ieee80211_key_link(struct ieee80211_
-       key->sdata = sdata;
-       key->sta = sta;
-+      /*
-+       * Assign a unique ID to every key so we can easily prevent mixed
-+       * key and fragment cache attacks.
-+       */
-+      key->color = atomic_inc_return(&key_color);
-+
-       increment_tailroom_need_count(sdata);
-       ret = ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
---- a/net/mac80211/key.h
-+++ b/net/mac80211/key.h
-@@ -128,6 +128,8 @@ struct ieee80211_key {
-       } debugfs;
- #endif
-+      unsigned int color;
-+
-       /*
-        * key config, must be last because it contains key
-        * material as variable length member
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2265,6 +2265,7 @@ ieee80211_rx_h_defragment(struct ieee802
-                        * next fragment has a sequential PN value.
-                        */
-                       entry->check_sequential_pn = true;
-+                      entry->key_color = rx->key->color;
-                       memcpy(entry->last_pn,
-                              rx->key->u.ccmp.rx_pn[queue],
-                              IEEE80211_CCMP_PN_LEN);
-@@ -2302,6 +2303,11 @@ ieee80211_rx_h_defragment(struct ieee802
-               if (!requires_sequential_pn(rx, fc))
-                       return RX_DROP_UNUSABLE;
-+
-+              /* Prevent mixed key and fragment cache attacks */
-+              if (entry->key_color != rx->key->color)
-+                      return RX_DROP_UNUSABLE;
-+
-               memcpy(pn, entry->last_pn, IEEE80211_CCMP_PN_LEN);
-               for (i = IEEE80211_CCMP_PN_LEN - 1; i >= 0; i--) {
-                       pn[i]++;
diff --git a/package/kernel/mac80211/patches/subsys/382-mac80211-properly-handle-A-MSDUs-that-start-with-an-.patch b/package/kernel/mac80211/patches/subsys/382-mac80211-properly-handle-A-MSDUs-that-start-with-an-.patch
deleted file mode 100644 (file)
index 3fdabde..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Date: Tue, 11 May 2021 20:02:44 +0200
-Subject: [PATCH] mac80211: properly handle A-MSDUs that start with an
- RFC 1042 header
-
-Properly parse A-MSDUs whose first 6 bytes happen to equal a rfc1042
-header. This can occur in practice when the destination MAC address
-equals AA:AA:03:00:00:00. More importantly, this simplifies the next
-patch to mitigate A-MSDU injection attacks.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/include/net/cfg80211.h
-+++ b/include/net/cfg80211.h
-@@ -5628,7 +5628,7 @@ unsigned int ieee80211_get_mesh_hdrlen(s
-  */
- int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
-                                 const u8 *addr, enum nl80211_iftype iftype,
--                                u8 data_offset);
-+                                u8 data_offset, bool is_amsdu);
- /**
-  * ieee80211_data_to_8023 - convert an 802.11 data frame to 802.3
-@@ -5640,7 +5640,7 @@ int ieee80211_data_to_8023_exthdr(struct
- static inline int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
-                                        enum nl80211_iftype iftype)
- {
--      return ieee80211_data_to_8023_exthdr(skb, NULL, addr, iftype, 0);
-+      return ieee80211_data_to_8023_exthdr(skb, NULL, addr, iftype, 0, false);
- }
- /**
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2696,7 +2696,7 @@ __ieee80211_rx_h_amsdu(struct ieee80211_
-       if (ieee80211_data_to_8023_exthdr(skb, &ethhdr,
-                                         rx->sdata->vif.addr,
-                                         rx->sdata->vif.type,
--                                        data_offset))
-+                                        data_offset, true))
-               return RX_DROP_UNUSABLE;
-       ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -541,7 +541,7 @@ EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen)
- int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
-                                 const u8 *addr, enum nl80211_iftype iftype,
--                                u8 data_offset)
-+                                u8 data_offset, bool is_amsdu)
- {
-       struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-       struct {
-@@ -629,7 +629,7 @@ int ieee80211_data_to_8023_exthdr(struct
-       skb_copy_bits(skb, hdrlen, &payload, sizeof(payload));
-       tmp.h_proto = payload.proto;
--      if (likely((ether_addr_equal(payload.hdr, rfc1042_header) &&
-+      if (likely((!is_amsdu && ether_addr_equal(payload.hdr, rfc1042_header) &&
-                   tmp.h_proto != htons(ETH_P_AARP) &&
-                   tmp.h_proto != htons(ETH_P_IPX)) ||
-                  ether_addr_equal(payload.hdr, bridge_tunnel_header)))
diff --git a/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch b/package/kernel/mac80211/patches/subsys/383-cfg80211-mitigate-A-MSDU-aggregation-attacks.patch
deleted file mode 100644 (file)
index 8ea78dc..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-From: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Date: Tue, 11 May 2021 20:02:45 +0200
-Subject: [PATCH] cfg80211: mitigate A-MSDU aggregation attacks
-
-Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the
-destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP)
-header, and if so dropping the complete A-MSDU frame. This mitigates
-known attacks, although new (unknown) aggregation-based attacks may
-remain possible.
-
-This defense works because in A-MSDU aggregation injection attacks, a
-normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
-the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
-header. In other words, the destination MAC address of the first A-MSDU
-subframe contains the start of an RFC1042 header during an aggregation
-attack. We can detect this and thereby prevent this specific attack.
-For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi
-Through Frame Aggregation and Fragmentation".
-
-Note that for kernel 4.9 and above this patch depends on "mac80211:
-properly handle A-MSDUs that start with a rfc1042 header". Otherwise
-this patch has no impact and attacks will remain possible.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@kuleuven.be>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -775,6 +775,9 @@ void ieee80211_amsdu_to_8023s(struct sk_
-               remaining = skb->len - offset;
-               if (subframe_len > remaining)
-                       goto purge;
-+              /* mitigate A-MSDU aggregation injection attacks */
-+              if (ether_addr_equal(eth.h_dest, rfc1042_header))
-+                      goto purge;
-               offset += sizeof(struct ethhdr);
-               last = remaining <= subframe_len + padding;
diff --git a/package/kernel/mac80211/patches/subsys/384-mac80211-drop-A-MSDUs-on-old-ciphers.patch b/package/kernel/mac80211/patches/subsys/384-mac80211-drop-A-MSDUs-on-old-ciphers.patch
deleted file mode 100644 (file)
index 1b5084c..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 11 May 2021 20:02:46 +0200
-Subject: [PATCH] mac80211: drop A-MSDUs on old ciphers
-
-With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs
-since A-MSDUs are only supported if we know that they are, and
-the only practical way for that is HT support which doesn't
-support old ciphers.
-
-However, we would normally accept them anyway. Since we check
-the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in
-the QoS header is not protected in TKIP (or WEP), this enables
-attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs
-completely with old ciphers.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -6,7 +6,7 @@
-  * Copyright 2007-2010        Johannes Berg <johannes@sipsolutions.net>
-  * Copyright 2013-2014  Intel Mobile Communications GmbH
-  * Copyright(c) 2015 - 2017 Intel Deutschland GmbH
-- * Copyright (C) 2018-2020 Intel Corporation
-+ * Copyright (C) 2018-2021 Intel Corporation
-  */
- #include <linux/jiffies.h>
-@@ -2753,6 +2753,23 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx
-       if (is_multicast_ether_addr(hdr->addr1))
-               return RX_DROP_UNUSABLE;
-+      if (rx->key) {
-+              /*
-+               * We should not receive A-MSDUs on pre-HT connections,
-+               * and HT connections cannot use old ciphers. Thus drop
-+               * them, as in those cases we couldn't even have SPP
-+               * A-MSDUs or such.
-+               */
-+              switch (rx->key->conf.cipher) {
-+              case WLAN_CIPHER_SUITE_WEP40:
-+              case WLAN_CIPHER_SUITE_WEP104:
-+              case WLAN_CIPHER_SUITE_TKIP:
-+                      return RX_DROP_UNUSABLE;
-+              default:
-+                      break;
-+              }
-+      }
-+
-       return __ieee80211_rx_h_amsdu(rx, 0);
- }
diff --git a/package/kernel/mac80211/patches/subsys/385-mac80211-add-fragment-cache-to-sta_info.patch b/package/kernel/mac80211/patches/subsys/385-mac80211-add-fragment-cache-to-sta_info.patch
deleted file mode 100644 (file)
index b536126..0000000
+++ /dev/null
@@ -1,313 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 11 May 2021 20:02:47 +0200
-Subject: [PATCH] mac80211: add fragment cache to sta_info
-
-Prior patches protected against fragmentation cache attacks
-by coloring keys, but this shows that it can lead to issues
-when multiple stations use the same sequence number. Add a
-fragment cache to struct sta_info (in addition to the one in
-the interface) to separate fragments for different stations
-properly.
-
-This then automatically clear most of the fragment cache when a
-station disconnects (or reassociates) from an AP, or when client
-interfaces disconnect from the network, etc.
-
-On the way, also fix the comment there since this brings us in line
-with the recommendation in 802.11-2016 ("An AP should support ...").
-Additionally, remove a useless condition (since there's no problem
-purging an already empty list).
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -50,12 +50,6 @@ struct ieee80211_local;
- #define IEEE80211_ENCRYPT_HEADROOM 8
- #define IEEE80211_ENCRYPT_TAILROOM 18
--/* IEEE 802.11 (Ch. 9.5 Defragmentation) requires support for concurrent
-- * reception of at least three fragmented frames. This limit can be increased
-- * by changing this define, at the cost of slower frame reassembly and
-- * increased memory use (about 2 kB of RAM per entry). */
--#define IEEE80211_FRAGMENT_MAX 4
--
- /* power level hasn't been configured (or set to automatic) */
- #define IEEE80211_UNSET_POWER_LEVEL   INT_MIN
-@@ -88,19 +82,6 @@ extern const u8 ieee80211_ac_to_qos_mask
- #define IEEE80211_MAX_NAN_INSTANCE_ID 255
--struct ieee80211_fragment_entry {
--      struct sk_buff_head skb_list;
--      unsigned long first_frag_time;
--      u16 seq;
--      u16 extra_len;
--      u16 last_frag;
--      u8 rx_queue;
--      bool check_sequential_pn; /* needed for CCMP/GCMP */
--      u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
--      unsigned int key_color;
--};
--
--
- struct ieee80211_bss {
-       u32 device_ts_beacon, device_ts_presp;
-@@ -912,9 +893,7 @@ struct ieee80211_sub_if_data {
-       char name[IFNAMSIZ];
--      /* Fragment table for host-based reassembly */
--      struct ieee80211_fragment_entry fragments[IEEE80211_FRAGMENT_MAX];
--      unsigned int fragment_next;
-+      struct ieee80211_fragment_cache frags;
-       /* TID bitmap for NoAck policy */
-       u16 noack_map;
-@@ -2329,4 +2308,7 @@ u32 ieee80211_calc_expected_tx_airtime(s
- #define debug_noinline
- #endif
-+void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache);
-+void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache);
-+
- #endif /* IEEE80211_I_H */
---- a/net/mac80211/iface.c
-+++ b/net/mac80211/iface.c
-@@ -8,7 +8,7 @@
-  * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
-  * Copyright 2013-2014  Intel Mobile Communications GmbH
-  * Copyright (c) 2016        Intel Deutschland GmbH
-- * Copyright (C) 2018-2020 Intel Corporation
-+ * Copyright (C) 2018-2021 Intel Corporation
-  */
- #include <linux/slab.h>
- #include <linux/kernel.h>
-@@ -679,16 +679,12 @@ static void ieee80211_set_multicast_list
-  */
- static void ieee80211_teardown_sdata(struct ieee80211_sub_if_data *sdata)
- {
--      int i;
--
-       /* free extra data */
-       ieee80211_free_keys(sdata, false);
-       ieee80211_debugfs_remove_netdev(sdata);
--      for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++)
--              __skb_queue_purge(&sdata->fragments[i].skb_list);
--      sdata->fragment_next = 0;
-+      ieee80211_destroy_frag_cache(&sdata->frags);
-       if (ieee80211_vif_is_mesh(&sdata->vif))
-               ieee80211_mesh_teardown_sdata(sdata);
-@@ -2038,8 +2034,7 @@ int ieee80211_if_add(struct ieee80211_lo
-       sdata->wdev.wiphy = local->hw.wiphy;
-       sdata->local = local;
--      for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++)
--              skb_queue_head_init(&sdata->fragments[i].skb_list);
-+      ieee80211_init_frag_cache(&sdata->frags);
-       INIT_LIST_HEAD(&sdata->key_list);
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2133,19 +2133,34 @@ ieee80211_rx_h_decrypt(struct ieee80211_
-       return result;
- }
-+void ieee80211_init_frag_cache(struct ieee80211_fragment_cache *cache)
-+{
-+      int i;
-+
-+      for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
-+              skb_queue_head_init(&cache->entries[i].skb_list);
-+}
-+
-+void ieee80211_destroy_frag_cache(struct ieee80211_fragment_cache *cache)
-+{
-+      int i;
-+
-+      for (i = 0; i < ARRAY_SIZE(cache->entries); i++)
-+              __skb_queue_purge(&cache->entries[i].skb_list);
-+}
-+
- static inline struct ieee80211_fragment_entry *
--ieee80211_reassemble_add(struct ieee80211_sub_if_data *sdata,
-+ieee80211_reassemble_add(struct ieee80211_fragment_cache *cache,
-                        unsigned int frag, unsigned int seq, int rx_queue,
-                        struct sk_buff **skb)
- {
-       struct ieee80211_fragment_entry *entry;
--      entry = &sdata->fragments[sdata->fragment_next++];
--      if (sdata->fragment_next >= IEEE80211_FRAGMENT_MAX)
--              sdata->fragment_next = 0;
-+      entry = &cache->entries[cache->next++];
-+      if (cache->next >= IEEE80211_FRAGMENT_MAX)
-+              cache->next = 0;
--      if (!skb_queue_empty(&entry->skb_list))
--              __skb_queue_purge(&entry->skb_list);
-+      __skb_queue_purge(&entry->skb_list);
-       __skb_queue_tail(&entry->skb_list, *skb); /* no need for locking */
-       *skb = NULL;
-@@ -2160,14 +2175,14 @@ ieee80211_reassemble_add(struct ieee8021
- }
- static inline struct ieee80211_fragment_entry *
--ieee80211_reassemble_find(struct ieee80211_sub_if_data *sdata,
-+ieee80211_reassemble_find(struct ieee80211_fragment_cache *cache,
-                         unsigned int frag, unsigned int seq,
-                         int rx_queue, struct ieee80211_hdr *hdr)
- {
-       struct ieee80211_fragment_entry *entry;
-       int i, idx;
--      idx = sdata->fragment_next;
-+      idx = cache->next;
-       for (i = 0; i < IEEE80211_FRAGMENT_MAX; i++) {
-               struct ieee80211_hdr *f_hdr;
-               struct sk_buff *f_skb;
-@@ -2176,7 +2191,7 @@ ieee80211_reassemble_find(struct ieee802
-               if (idx < 0)
-                       idx = IEEE80211_FRAGMENT_MAX - 1;
--              entry = &sdata->fragments[idx];
-+              entry = &cache->entries[idx];
-               if (skb_queue_empty(&entry->skb_list) || entry->seq != seq ||
-                   entry->rx_queue != rx_queue ||
-                   entry->last_frag + 1 != frag)
-@@ -2217,6 +2232,7 @@ static bool requires_sequential_pn(struc
- static ieee80211_rx_result debug_noinline
- ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
- {
-+      struct ieee80211_fragment_cache *cache = &rx->sdata->frags;
-       struct ieee80211_hdr *hdr;
-       u16 sc;
-       __le16 fc;
-@@ -2238,6 +2254,9 @@ ieee80211_rx_h_defragment(struct ieee802
-               goto out_no_led;
-       }
-+      if (rx->sta)
-+              cache = &rx->sta->frags;
-+
-       if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-               goto out;
-@@ -2256,7 +2275,7 @@ ieee80211_rx_h_defragment(struct ieee802
-       if (frag == 0) {
-               /* This is the first fragment of a new frame. */
--              entry = ieee80211_reassemble_add(rx->sdata, frag, seq,
-+              entry = ieee80211_reassemble_add(cache, frag, seq,
-                                                rx->seqno_idx, &(rx->skb));
-               if (requires_sequential_pn(rx, fc)) {
-                       int queue = rx->security_idx;
-@@ -2284,7 +2303,7 @@ ieee80211_rx_h_defragment(struct ieee802
-       /* This is a fragment for a frame that should already be pending in
-        * fragment cache. Add this fragment to the end of the pending entry.
-        */
--      entry = ieee80211_reassemble_find(rx->sdata, frag, seq,
-+      entry = ieee80211_reassemble_find(cache, frag, seq,
-                                         rx->seqno_idx, hdr);
-       if (!entry) {
-               I802_DEBUG_INC(rx->local->rx_handlers_drop_defrag);
---- a/net/mac80211/sta_info.c
-+++ b/net/mac80211/sta_info.c
-@@ -4,7 +4,7 @@
-  * Copyright 2006-2007        Jiri Benc <jbenc@suse.cz>
-  * Copyright 2013-2014  Intel Mobile Communications GmbH
-  * Copyright (C) 2015 - 2017 Intel Deutschland GmbH
-- * Copyright (C) 2018-2020 Intel Corporation
-+ * Copyright (C) 2018-2021 Intel Corporation
-  */
- #include <linux/module.h>
-@@ -393,6 +393,8 @@ struct sta_info *sta_info_alloc(struct i
-       u64_stats_init(&sta->rx_stats.syncp);
-+      ieee80211_init_frag_cache(&sta->frags);
-+
-       sta->sta_state = IEEE80211_STA_NONE;
-       /* Mark TID as unreserved */
-@@ -1103,6 +1105,8 @@ static void __sta_info_destroy_part2(str
-       ieee80211_sta_debugfs_remove(sta);
-+      ieee80211_destroy_frag_cache(&sta->frags);
-+
-       cleanup_single_sta(sta);
- }
---- a/net/mac80211/sta_info.h
-+++ b/net/mac80211/sta_info.h
-@@ -3,7 +3,7 @@
-  * Copyright 2002-2005, Devicescape Software, Inc.
-  * Copyright 2013-2014  Intel Mobile Communications GmbH
-  * Copyright(c) 2015-2017 Intel Deutschland GmbH
-- * Copyright(c) 2020 Intel Corporation
-+ * Copyright(c) 2020-2021 Intel Corporation
-  */
- #ifndef STA_INFO_H
-@@ -439,6 +439,33 @@ struct ieee80211_sta_rx_stats {
- };
- /*
-+ * IEEE 802.11-2016 (10.6 "Defragmentation") recommends support for "concurrent
-+ * reception of at least one MSDU per access category per associated STA"
-+ * on APs, or "at least one MSDU per access category" on other interface types.
-+ *
-+ * This limit can be increased by changing this define, at the cost of slower
-+ * frame reassembly and increased memory use while fragments are pending.
-+ */
-+#define IEEE80211_FRAGMENT_MAX 4
-+
-+struct ieee80211_fragment_entry {
-+      struct sk_buff_head skb_list;
-+      unsigned long first_frag_time;
-+      u16 seq;
-+      u16 extra_len;
-+      u16 last_frag;
-+      u8 rx_queue;
-+      bool check_sequential_pn; /* needed for CCMP/GCMP */
-+      u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
-+      unsigned int key_color;
-+};
-+
-+struct ieee80211_fragment_cache {
-+      struct ieee80211_fragment_entry entries[IEEE80211_FRAGMENT_MAX];
-+      unsigned int next;
-+};
-+
-+/*
-  * The bandwidth threshold below which the per-station CoDel parameters will be
-  * scaled to be more lenient (to prevent starvation of slow stations). This
-  * value will be scaled by the number of active stations when it is being
-@@ -531,6 +558,7 @@ struct ieee80211_sta_rx_stats {
-  * @status_stats.last_ack_signal: last ACK signal
-  * @status_stats.ack_signal_filled: last ACK signal validity
-  * @status_stats.avg_ack_signal: average ACK signal
-+ * @frags: fragment cache
-  */
- struct sta_info {
-       /* General information, mostly static */
-@@ -639,6 +667,8 @@ struct sta_info {
-       struct cfg80211_chan_def tdls_chandef;
-+      struct ieee80211_fragment_cache frags;
-+
-       /* keep last! */
-       struct ieee80211_sta sta;
- };
diff --git a/package/kernel/mac80211/patches/subsys/386-mac80211-check-defrag-PN-against-current-frame.patch b/package/kernel/mac80211/patches/subsys/386-mac80211-check-defrag-PN-against-current-frame.patch
deleted file mode 100644 (file)
index fb2747a..0000000
+++ /dev/null
@@ -1,109 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 11 May 2021 20:02:48 +0200
-Subject: [PATCH] mac80211: check defrag PN against current frame
-
-As pointed out by Mathy Vanhoef, we implement the RX PN check
-on fragmented frames incorrectly - we check against the last
-received PN prior to the new frame, rather than to the one in
-this frame itself.
-
-Prior patches addressed the security issue here, but in order
-to be able to reason better about the code, fix it to really
-compare against the current frame's PN, not the last stored
-one.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -227,8 +227,15 @@ struct ieee80211_rx_data {
-        */
-       int security_idx;
--      u32 tkip_iv32;
--      u16 tkip_iv16;
-+      union {
-+              struct {
-+                      u32 iv32;
-+                      u16 iv16;
-+              } tkip;
-+              struct {
-+                      u8 pn[IEEE80211_CCMP_PN_LEN];
-+              } ccm_gcm;
-+      };
- };
- struct ieee80211_csa_settings {
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2318,7 +2318,6 @@ ieee80211_rx_h_defragment(struct ieee802
-       if (entry->check_sequential_pn) {
-               int i;
-               u8 pn[IEEE80211_CCMP_PN_LEN], *rpn;
--              int queue;
-               if (!requires_sequential_pn(rx, fc))
-                       return RX_DROP_UNUSABLE;
-@@ -2333,8 +2332,8 @@ ieee80211_rx_h_defragment(struct ieee802
-                       if (pn[i])
-                               break;
-               }
--              queue = rx->security_idx;
--              rpn = rx->key->u.ccmp.rx_pn[queue];
-+
-+              rpn = rx->ccm_gcm.pn;
-               if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
-                       return RX_DROP_UNUSABLE;
-               memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
---- a/net/mac80211/wpa.c
-+++ b/net/mac80211/wpa.c
-@@ -3,6 +3,7 @@
-  * Copyright 2002-2004, Instant802 Networks, Inc.
-  * Copyright 2008, Jouni Malinen <j@w1.fi>
-  * Copyright (C) 2016-2017 Intel Deutschland GmbH
-+ * Copyright (C) 2020-2021 Intel Corporation
-  */
- #include <linux/netdevice.h>
-@@ -167,8 +168,8 @@ ieee80211_rx_h_michael_mic_verify(struct
- update_iv:
-       /* update IV in key information to be able to detect replays */
--      rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32;
--      rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16;
-+      rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip.iv32;
-+      rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip.iv16;
-       return RX_CONTINUE;
-@@ -294,8 +295,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
-                                         key, skb->data + hdrlen,
-                                         skb->len - hdrlen, rx->sta->sta.addr,
-                                         hdr->addr1, hwaccel, rx->security_idx,
--                                        &rx->tkip_iv32,
--                                        &rx->tkip_iv16);
-+                                        &rx->tkip.iv32,
-+                                        &rx->tkip.iv16);
-       if (res != TKIP_DECRYPT_OK)
-               return RX_DROP_UNUSABLE;
-@@ -552,6 +553,8 @@ ieee80211_crypto_ccmp_decrypt(struct iee
-               }
-               memcpy(key->u.ccmp.rx_pn[queue], pn, IEEE80211_CCMP_PN_LEN);
-+              if (unlikely(ieee80211_is_frag(hdr)))
-+                      memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
-       }
-       /* Remove CCMP header and MIC */
-@@ -782,6 +785,8 @@ ieee80211_crypto_gcmp_decrypt(struct iee
-               }
-               memcpy(key->u.gcmp.rx_pn[queue], pn, IEEE80211_GCMP_PN_LEN);
-+              if (unlikely(ieee80211_is_frag(hdr)))
-+                      memcpy(rx->ccm_gcm.pn, pn, IEEE80211_CCMP_PN_LEN);
-       }
-       /* Remove GCMP header and MIC */
diff --git a/package/kernel/mac80211/patches/subsys/387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch b/package/kernel/mac80211/patches/subsys/387-mac80211-prevent-attacks-on-TKIP-WEP-as-well.patch
deleted file mode 100644 (file)
index bc582a6..0000000
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 11 May 2021 20:02:49 +0200
-Subject: [PATCH] mac80211: prevent attacks on TKIP/WEP as well
-
-Similar to the issues fixed in previous patches, TKIP and WEP
-should be protected even if for TKIP we have the Michael MIC
-protecting it, and WEP is broken anyway.
-
-However, this also somewhat protects potential other algorithms
-that drivers might implement.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2284,6 +2284,7 @@ ieee80211_rx_h_defragment(struct ieee802
-                        * next fragment has a sequential PN value.
-                        */
-                       entry->check_sequential_pn = true;
-+                      entry->is_protected = true;
-                       entry->key_color = rx->key->color;
-                       memcpy(entry->last_pn,
-                              rx->key->u.ccmp.rx_pn[queue],
-@@ -2296,6 +2297,9 @@ ieee80211_rx_h_defragment(struct ieee802
-                                    sizeof(rx->key->u.gcmp.rx_pn[queue]));
-                       BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
-                                    IEEE80211_GCMP_PN_LEN);
-+              } else if (rx->key && ieee80211_has_protected(fc)) {
-+                      entry->is_protected = true;
-+                      entry->key_color = rx->key->color;
-               }
-               return RX_QUEUED;
-       }
-@@ -2337,6 +2341,14 @@ ieee80211_rx_h_defragment(struct ieee802
-               if (memcmp(pn, rpn, IEEE80211_CCMP_PN_LEN))
-                       return RX_DROP_UNUSABLE;
-               memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
-+      } else if (entry->is_protected &&
-+                 (!rx->key || !ieee80211_has_protected(fc) ||
-+                  rx->key->color != entry->key_color)) {
-+              /* Drop this as a mixed key or fragment cache attack, even
-+               * if for TKIP Michael MIC should protect us, and WEP is a
-+               * lost cause anyway.
-+               */
-+              return RX_DROP_UNUSABLE;
-       }
-       skb_pull(rx->skb, ieee80211_hdrlen(fc));
---- a/net/mac80211/sta_info.h
-+++ b/net/mac80211/sta_info.h
-@@ -455,7 +455,8 @@ struct ieee80211_fragment_entry {
-       u16 extra_len;
-       u16 last_frag;
-       u8 rx_queue;
--      bool check_sequential_pn; /* needed for CCMP/GCMP */
-+      u8 check_sequential_pn:1, /* needed for CCMP/GCMP */
-+         is_protected:1;
-       u8 last_pn[6]; /* PN of the last fragment if CCMP was used */
-       unsigned int key_color;
- };
diff --git a/package/kernel/mac80211/patches/subsys/388-mac80211-do-not-accept-forward-invalid-EAPOL-frames.patch b/package/kernel/mac80211/patches/subsys/388-mac80211-do-not-accept-forward-invalid-EAPOL-frames.patch
deleted file mode 100644 (file)
index 9a0b78d..0000000
+++ /dev/null
@@ -1,94 +0,0 @@
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Tue, 11 May 2021 20:02:50 +0200
-Subject: [PATCH] mac80211: do not accept/forward invalid EAPOL frames
-
-EAPOL frames are used for authentication and key management between the
-AP and each individual STA associated in the BSS. Those frames are not
-supposed to be sent by one associated STA to another associated STA
-(either unicast for broadcast/multicast).
-
-Similarly, in 802.11 they're supposed to be sent to the authenticator
-(AP) address.
-
-Since it is possible for unexpected EAPOL frames to result in misbehavior
-in supplicant implementations, it is better for the AP to not allow such
-cases to be forwarded to other clients either directly, or indirectly if
-the AP interface is part of a bridge.
-
-Accept EAPOL (control port) frames only if they're transmitted to the
-own address, or, due to interoperability concerns, to the PAE group
-address.
-
-Disable forwarding of EAPOL (or well, the configured control port
-protocol) frames back to wireless medium in all cases. Previously, these
-frames were accepted from fully authenticated and authorized stations
-and also from unauthenticated stations for one of the cases.
-
-Additionally, to avoid forwarding by the bridge, rewrite the PAE group
-address case to the local MAC address.
-
-Cc: stable@vger.kernel.org
-Co-developed-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2541,13 +2541,13 @@ static bool ieee80211_frame_allowed(stru
-       struct ethhdr *ehdr = (struct ethhdr *) rx->skb->data;
-       /*
--       * Allow EAPOL frames to us/the PAE group address regardless
--       * of whether the frame was encrypted or not.
-+       * Allow EAPOL frames to us/the PAE group address regardless of
-+       * whether the frame was encrypted or not, and always disallow
-+       * all other destination addresses for them.
-        */
--      if (ehdr->h_proto == rx->sdata->control_port_protocol &&
--          (ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
--           ether_addr_equal(ehdr->h_dest, pae_group_addr)))
--              return true;
-+      if (unlikely(ehdr->h_proto == rx->sdata->control_port_protocol))
-+              return ether_addr_equal(ehdr->h_dest, rx->sdata->vif.addr) ||
-+                     ether_addr_equal(ehdr->h_dest, pae_group_addr);
-       if (ieee80211_802_1x_port_control(rx) ||
-           ieee80211_drop_unencrypted(rx, fc))
-@@ -2572,8 +2572,28 @@ static void ieee80211_deliver_skb_to_loc
-               cfg80211_rx_control_port(dev, skb, noencrypt);
-               dev_kfree_skb(skb);
-       } else {
-+              struct ethhdr *ehdr = (void *)skb_mac_header(skb);
-+
-               memset(skb->cb, 0, sizeof(skb->cb));
-+              /*
-+               * 802.1X over 802.11 requires that the authenticator address
-+               * be used for EAPOL frames. However, 802.1X allows the use of
-+               * the PAE group address instead. If the interface is part of
-+               * a bridge and we pass the frame with the PAE group address,
-+               * then the bridge will forward it to the network (even if the
-+               * client was not associated yet), which isn't supposed to
-+               * happen.
-+               * To avoid that, rewrite the destination address to our own
-+               * address, so that the authenticator (e.g. hostapd) will see
-+               * the frame, but bridge won't forward it anywhere else. Note
-+               * that due to earlier filtering, the only other address can
-+               * be the PAE group address.
-+               */
-+              if (unlikely(skb->protocol == sdata->control_port_protocol &&
-+                           !ether_addr_equal(ehdr->h_dest, sdata->vif.addr)))
-+                      ether_addr_copy(ehdr->h_dest, sdata->vif.addr);
-+
-               /* deliver to local stack */
-               if (rx->list)
- #if LINUX_VERSION_IS_GEQ(4,19,0)
-@@ -2617,6 +2637,7 @@ ieee80211_deliver_skb(struct ieee80211_r
-       if ((sdata->vif.type == NL80211_IFTYPE_AP ||
-            sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
-           !(sdata->flags & IEEE80211_SDATA_DONT_BRIDGE_PACKETS) &&
-+          ehdr->h_proto != rx->sdata->control_port_protocol &&
-           (sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->u.vlan.sta)) {
-               if (is_multicast_ether_addr(ehdr->h_dest) &&
-                   ieee80211_vif_get_num_mcast_if(sdata) != 0) {
diff --git a/package/kernel/mac80211/patches/subsys/389-mac80211-extend-protection-against-mixed-key-and-fra.patch b/package/kernel/mac80211/patches/subsys/389-mac80211-extend-protection-against-mixed-key-and-fra.patch
deleted file mode 100644 (file)
index 1780926..0000000
+++ /dev/null
@@ -1,68 +0,0 @@
-From: Wen Gong <wgong@codeaurora.org>
-Date: Tue, 11 May 2021 20:02:51 +0200
-Subject: [PATCH] mac80211: extend protection against mixed key and
- fragment cache attacks
-
-For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
-done by the hardware, and the Protected bit in the Frame Control field
-is cleared in the lower level driver before the frame is passed to
-mac80211. In such cases, the condition for ieee80211_has_protected() is
-not met in ieee80211_rx_h_defragment() of mac80211 and the new security
-validation steps are not executed.
-
-Extend mac80211 to cover the case where the Protected bit has been
-cleared, but the frame is indicated as having been decrypted by the
-hardware. This extends protection against mixed key and fragment cache
-attack for additional drivers/chips. This fixes CVE-2020-24586 and
-CVE-2020-24587 for such cases.
-
-Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Wen Gong <wgong@codeaurora.org>
-Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2239,6 +2239,7 @@ ieee80211_rx_h_defragment(struct ieee802
-       unsigned int frag, seq;
-       struct ieee80211_fragment_entry *entry;
-       struct sk_buff *skb;
-+      struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
-       hdr = (struct ieee80211_hdr *)rx->skb->data;
-       fc = hdr->frame_control;
-@@ -2297,7 +2298,9 @@ ieee80211_rx_h_defragment(struct ieee802
-                                    sizeof(rx->key->u.gcmp.rx_pn[queue]));
-                       BUILD_BUG_ON(IEEE80211_CCMP_PN_LEN !=
-                                    IEEE80211_GCMP_PN_LEN);
--              } else if (rx->key && ieee80211_has_protected(fc)) {
-+              } else if (rx->key &&
-+                         (ieee80211_has_protected(fc) ||
-+                          (status->flag & RX_FLAG_DECRYPTED))) {
-                       entry->is_protected = true;
-                       entry->key_color = rx->key->color;
-               }
-@@ -2342,13 +2345,19 @@ ieee80211_rx_h_defragment(struct ieee802
-                       return RX_DROP_UNUSABLE;
-               memcpy(entry->last_pn, pn, IEEE80211_CCMP_PN_LEN);
-       } else if (entry->is_protected &&
--                 (!rx->key || !ieee80211_has_protected(fc) ||
-+                 (!rx->key ||
-+                  (!ieee80211_has_protected(fc) &&
-+                   !(status->flag & RX_FLAG_DECRYPTED)) ||
-                   rx->key->color != entry->key_color)) {
-               /* Drop this as a mixed key or fragment cache attack, even
-                * if for TKIP Michael MIC should protect us, and WEP is a
-                * lost cause anyway.
-                */
-               return RX_DROP_UNUSABLE;
-+      } else if (entry->is_protected && rx->key &&
-+                 entry->key_color != rx->key->color &&
-+                 (status->flag & RX_FLAG_DECRYPTED)) {
-+              return RX_DROP_UNUSABLE;
-       }
-       skb_pull(rx->skb, ieee80211_hdrlen(fc));