openwrt/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch

From: Johannes Berg <johannes.berg@intel.com>
Date: Mon, 13 Mar 2023 11:42:12 +0100
Subject: [PATCH] wifi: mac80211: flush queues on STA removal

When we remove a station, we first make it unreachable,
then we (must) remove its keys, and then remove the
station itself. Depending on the hardware design, if
we have hardware crypto at all, frames still sitting
on hardware queues may then be transmitted without a
valid key, possibly unencrypted or with a fixed key.

Fix this by flushing the queues when removing stations
so this cannot happen.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
---

--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1066,6 +1066,14 @@ static void __sta_info_destroy_part2(str
 		WARN_ON_ONCE(ret);
 	}
 
+	/* Flush queues before removing keys, as that might remove them
+	 * from hardware, and then depending on the offload method, any
+	 * frames sitting on hardware queues might be sent out without
+	 * any encryption at all.
+	 */
+	if (local->ops->set_key)
+		ieee80211_flush_queues(local, sta->sdata, false);
+
 	/* now keys can no longer be reached */
 	ieee80211_free_sta_keys(local, sta);
mac80211, mt76: add fixes for recently discovered security issues Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4) 2023-03-29 15:54:19 +00:00			`From: Johannes Berg <johannes.berg@intel.com>`
			`Date: Mon, 13 Mar 2023 11:42:12 +0100`
			`Subject: [PATCH] wifi: mac80211: flush queues on STA removal`

			`When we remove a station, we first make it unreachable,`
			`then we (must) remove its keys, and then remove the`
			`station itself. Depending on the hardware design, if`
			`we have hardware crypto at all, frames still sitting`
			`on hardware queues may then be transmitted without a`
			`valid key, possibly unencrypted or with a fixed key.`

			`Fix this by flushing the queues when removing stations`
			`so this cannot happen.`

			`Cc: stable@vger.kernel.org`
			`Signed-off-by: Johannes Berg <johannes.berg@intel.com>`
			`Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>`
			`---`

			`--- a/net/mac80211/sta_info.c`
			`+++ b/net/mac80211/sta_info.c`
			`@@ -1066,6 +1066,14 @@ static void __sta_info_destroy_part2(str`
			`WARN_ON_ONCE(ret);`
			`}`

			`+ /* Flush queues before removing keys, as that might remove them`
			`+ * from hardware, and then depending on the offload method, any`
			`+ * frames sitting on hardware queues might be sent out without`
			`+ * any encryption at all.`
			`+ */`
			`+ if (local->ops->set_key)`
			`+ ieee80211_flush_queues(local, sta->sdata, false);`
			`+`
			`/* now keys can no longer be reached */`
			`ieee80211_free_sta_keys(local, sta);`