openwrt/package/kernel/mac80211/patches/subsys/371-mac80211-don-t-apply-flow-control-on-management-fram.patch
Hauke Mehrtens 65835e0d5f mac80211: Update to backports-5.10.68
Refresh all patches.
The removed patches were integrated upstream.

This contains fixes for CVE-2020-3702

1. These patches (ath, ath9k, mac80211)  were included in kernel
versions since 4.14.245 and 4.19.205. They fix security vulnerability
CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2].

Thank you Josef Schlehofer for reporting this problem.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702
[2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-09-22 22:36:15 +02:00

61 lines
2.0 KiB
Diff

From: Johannes Berg <johannes.berg@intel.com>
Date: Fri, 19 Mar 2021 23:28:01 +0100
Subject: [PATCH] mac80211: don't apply flow control on management frames
In some cases (depending on the driver, but it's true e.g. for
iwlwifi) we're using an internal TXQ for management packets,
mostly to simplify the code and to have a place to queue them.
However, it appears that in certain cases we can confuse the
code and management frames are dropped, which is certainly not
what we want.
Short-circuit the processing of management frames. To keep the
impact minimal, only put them on the frags queue and check the
tid == management only for doing that and to skip the airtime
fairness checks, if applicable.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -5,7 +5,7 @@
* Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
* Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
* Copyright 2013-2014 Intel Mobile Communications GmbH
- * Copyright (C) 2018-2020 Intel Corporation
+ * Copyright (C) 2018-2021 Intel Corporation
*
* Transmit and frame generation functions.
*/
@@ -1401,8 +1401,17 @@ static void ieee80211_txq_enqueue(struct
ieee80211_set_skb_enqueue_time(skb);
spin_lock_bh(&fq->lock);
- fq_tin_enqueue(fq, tin, flow_idx, skb,
- fq_skb_free_func);
+ /*
+ * For management frames, don't really apply codel etc.,
+ * we don't want to apply any shaping or anything we just
+ * want to simplify the driver API by having them on the
+ * txqi.
+ */
+ if (unlikely(txqi->txq.tid == IEEE80211_NUM_TIDS))
+ __skb_queue_tail(&txqi->frags, skb);
+ else
+ fq_tin_enqueue(fq, tin, flow_idx, skb,
+ fq_skb_free_func);
spin_unlock_bh(&fq->lock);
}
@@ -3866,6 +3875,9 @@ bool ieee80211_txq_airtime_check(struct
if (!txq->sta)
return true;
+ if (unlikely(txq->tid == IEEE80211_NUM_TIDS))
+ return true;
+
sta = container_of(txq->sta, struct sta_info, sta);
if (atomic_read(&sta->airtime[txq->ac].aql_tx_pending) <
sta->airtime[txq->ac].aql_limit_low)