openwrt/package/kernel/mac80211/patches/brcm/998-survey.patch
Hauke Mehrtens 97bc59a5c0 mac80211: Update to backports-5.10.68
Refresh all patches.
The removed patches were integrated upstream.

This contains fixes for CVE-2020-3702

1. These patches (ath, ath9k, mac80211)  were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].

Thank you Josef Schlehofer for reporting this problem.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-09-22 22:24:00 +02:00

149 lines
4.2 KiB
Diff

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -2913,6 +2913,63 @@ done:
}
static int
+brcmf_cfg80211_dump_survey(struct wiphy *wiphy, struct net_device *ndev,
+ int idx, struct survey_info *survey)
+{
+ struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
+ struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmu_chan ch;
+ enum nl80211_band band = 0;
+ s32 err = 0;
+ int noise;
+ u32 freq;
+ u32 chanspec;
+
+ memset(survey, 0, sizeof(struct survey_info));
+ if (idx != 0) {
+ if (idx >= cfg->pub->num_chan_stats || cfg->pub->chan_stats == NULL)
+ return -ENOENT;
+ if (cfg->pub->chan_stats[idx].freq == 0)
+ return -ENOENT;
+ survey->filled = SURVEY_INFO_NOISE_DBM;
+ survey->channel = ieee80211_get_channel(wiphy, cfg->pub->chan_stats[idx].freq);
+ survey->noise = cfg->pub->chan_stats[idx].noise;
+ return 0;
+ }
+
+ err = brcmf_fil_iovar_int_get(ifp, "chanspec", &chanspec);
+ if (err) {
+ brcmf_err("chanspec failed (%d)\n", err);
+ return err;
+ }
+
+ ch.chspec = chanspec;
+ cfg->d11inf.decchspec(&ch);
+
+ switch (ch.band) {
+ case BRCMU_CHAN_BAND_2G:
+ band = NL80211_BAND_2GHZ;
+ break;
+ case BRCMU_CHAN_BAND_5G:
+ band = NL80211_BAND_5GHZ;
+ break;
+ }
+
+ freq = ieee80211_channel_to_frequency(ch.control_ch_num, band);
+ survey->channel = ieee80211_get_channel(wiphy, freq);
+
+ err = brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_PHY_NOISE, &noise);
+ if (err) {
+ brcmf_err("Could not get noise (%d)\n", err);
+ return err;
+ }
+
+ survey->filled = SURVEY_INFO_NOISE_DBM | SURVEY_INFO_IN_USE;
+ survey->noise = le32_to_cpu(noise);
+ return 0;
+}
+
+static int
brcmf_cfg80211_dump_station(struct wiphy *wiphy, struct net_device *ndev,
int idx, u8 *mac, struct station_info *sinfo)
{
@@ -3008,6 +3065,7 @@ static s32 brcmf_inform_single_bss(struc
struct brcmu_chan ch;
u16 channel;
u32 freq;
+ int i;
u16 notify_capability;
u16 notify_interval;
u8 *notify_ie;
@@ -3032,6 +3090,17 @@ static s32 brcmf_inform_single_bss(struc
band = NL80211_BAND_5GHZ;
freq = ieee80211_channel_to_frequency(channel, band);
+ for (i = 0;i < cfg->pub->num_chan_stats;i++) {
+ if (freq == cfg->pub->chan_stats[i].freq)
+ break;
+ if (cfg->pub->chan_stats[i].freq == 0)
+ break;
+ }
+ if (i < cfg->pub->num_chan_stats) {
+ cfg->pub->chan_stats[i].freq = freq;
+ cfg->pub->chan_stats[i].noise = bi->phy_noise;
+ }
+
bss_data.chan = ieee80211_get_channel(wiphy, freq);
bss_data.scan_width = NL80211_BSS_CHAN_WIDTH_20;
bss_data.boottime_ns = ktime_to_ns(ktime_get_boottime());
@@ -5518,6 +5587,7 @@ static struct cfg80211_ops brcmf_cfg8021
.leave_ibss = brcmf_cfg80211_leave_ibss,
.get_station = brcmf_cfg80211_get_station,
.dump_station = brcmf_cfg80211_dump_station,
+ .dump_survey = brcmf_cfg80211_dump_survey,
.set_tx_power = brcmf_cfg80211_set_tx_power,
.get_tx_power = brcmf_cfg80211_get_tx_power,
.add_key = brcmf_cfg80211_add_key,
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -1356,6 +1356,8 @@ int brcmf_attach(struct device *dev)
/* Link to bus module */
drvr->hdrlen = 0;
+ drvr->chan_stats = vzalloc(256 * sizeof(struct brcmf_chan_stats));
+ drvr->num_chan_stats = 256;
/* Attach and link in the protocol */
ret = brcmf_proto_attach(drvr);
@@ -1438,6 +1440,12 @@ void brcmf_detach(struct device *dev)
if (drvr == NULL)
return;
+ drvr->num_chan_stats = 0;
+ if (drvr->chan_stats) {
+ vfree(drvr->chan_stats);
+ drvr->chan_stats = NULL;
+ }
+
#ifdef CONFIG_INET
unregister_inetaddr_notifier(&drvr->inetaddr_notifier);
#endif
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
@@ -91,6 +91,11 @@ struct brcmf_rev_info {
u32 nvramrev;
};
+struct brcmf_chan_stats {
+ u32 freq;
+ int noise;
+};
+
/* Common structure for module and instance linkage */
struct brcmf_pub {
/* Linkage ponters */
@@ -100,6 +105,9 @@ struct brcmf_pub {
struct cfg80211_ops *ops;
struct brcmf_cfg80211_info *config;
+ int num_chan_stats;
+ struct brcmf_chan_stats *chan_stats;
+
/* Internal brcmf items */
uint hdrlen; /* Total BRCMF header length (proto + bus) */