1 From a0761a301746ec2d92d7fcb82af69c0a6a4339aa Mon Sep 17 00:00:00 2001
2 From: Johannes Berg <johannes.berg@intel.com>
3 Date: Thu, 26 Mar 2020 15:09:42 +0200
4 Subject: mac80211: drop data frames without key on encrypted links
6 If we know that we have an encrypted link (based on having had
7 a key configured for TX in the past) then drop all data frames
8 in the key selection handler if there's no key anymore.
10 This fixes an issue with mac80211 internal TXQs - there we can
11 buffer frames for an encrypted link, but then if the key is no
12 longer there when they're dequeued, the frames are sent without
13 encryption. This happens if a station is disconnected while the
14 frames are still on the TXQ.
16 Detecting that a link should be encrypted based on a first key
17 having been configured for TX is fine as there are no use cases
18 for a connection going from with encryption to no encryption.
19 With extended key IDs, however, there is a case of having a key
20 configured for only decryption, so we can't just trigger this
21 behaviour on a key being configured.
23 Cc: stable@vger.kernel.org
24 Reported-by: Jouni Malinen <j@w1.fi>
25 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
26 Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
28 net/mac80211/debugfs_sta.c | 3 ++-
29 net/mac80211/key.c | 20 ++++++++++++--------
30 net/mac80211/sta_info.h | 1 +
31 net/mac80211/tx.c | 12 +++++++++---
32 4 files changed, 24 insertions(+), 12 deletions(-)
34 --- a/net/mac80211/debugfs_sta.c
35 +++ b/net/mac80211/debugfs_sta.c
37 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
38 * Copyright 2013-2014 Intel Mobile Communications GmbH
39 * Copyright(c) 2016 Intel Deutschland GmbH
40 - * Copyright (C) 2018 - 2019 Intel Corporation
41 + * Copyright (C) 2018 - 2020 Intel Corporation
44 #include <linux/debugfs.h>
45 @@ -78,6 +78,7 @@ static const char * const sta_flag_names
49 + FLAG(USES_ENCRYPTION),
53 --- a/net/mac80211/key.c
54 +++ b/net/mac80211/key.c
56 * Copyright 2007-2008 Johannes Berg <johannes@sipsolutions.net>
57 * Copyright 2013-2014 Intel Mobile Communications GmbH
58 * Copyright 2015-2017 Intel Deutschland GmbH
59 - * Copyright 2018-2019 Intel Corporation
60 + * Copyright 2018-2020 Intel Corporation
63 #include <linux/if_ether.h>
64 @@ -262,22 +262,29 @@ static void ieee80211_key_disable_hw_acc
65 sta ? sta->sta.addr : bcast_addr, ret);
68 -int ieee80211_set_tx_key(struct ieee80211_key *key)
69 +static int _ieee80211_set_tx_key(struct ieee80211_key *key, bool force)
71 struct sta_info *sta = key->sta;
72 struct ieee80211_local *local = key->local;
74 assert_key_lock(local);
76 + set_sta_flag(sta, WLAN_STA_USES_ENCRYPTION);
78 sta->ptk_idx = key->conf.keyidx;
80 - if (!ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT))
81 + if (force || !ieee80211_hw_check(&local->hw, AMPDU_KEYBORDER_SUPPORT))
82 clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
83 ieee80211_check_fast_xmit(sta);
88 +int ieee80211_set_tx_key(struct ieee80211_key *key)
90 + return _ieee80211_set_tx_key(key, false);
93 static void ieee80211_pairwise_rekey(struct ieee80211_key *old,
94 struct ieee80211_key *new)
96 @@ -441,11 +448,8 @@ static int ieee80211_key_replace(struct
98 rcu_assign_pointer(sta->ptk[idx], new);
100 - !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX)) {
101 - sta->ptk_idx = idx;
102 - clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
103 - ieee80211_check_fast_xmit(sta);
105 + !(new->conf.flags & IEEE80211_KEY_FLAG_NO_AUTO_TX))
106 + _ieee80211_set_tx_key(new, true);
108 rcu_assign_pointer(sta->gtk[idx], new);
110 --- a/net/mac80211/sta_info.h
111 +++ b/net/mac80211/sta_info.h
112 @@ -98,6 +98,7 @@ enum ieee80211_sta_info_flags {
114 WLAN_STA_MPSP_RECIPIENT,
116 + WLAN_STA_USES_ENCRYPTION,
120 --- a/net/mac80211/tx.c
121 +++ b/net/mac80211/tx.c
122 @@ -590,10 +590,13 @@ ieee80211_tx_h_select_key(struct ieee802
123 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
124 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx->skb->data;
126 - if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT))
127 + if (unlikely(info->flags & IEEE80211_TX_INTFL_DONT_ENCRYPT)) {
129 - else if (tx->sta &&
130 - (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
131 + return TX_CONTINUE;
135 + (key = rcu_dereference(tx->sta->ptk[tx->sta->ptk_idx])))
137 else if (ieee80211_is_group_privacy_action(tx->skb) &&
138 (key = rcu_dereference(tx->sdata->default_multicast_key)))
139 @@ -654,6 +657,9 @@ ieee80211_tx_h_select_key(struct ieee802
140 if (!skip_hw && tx->key &&
141 tx->key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)
142 info->control.hw_key = &tx->key->conf;
143 + } else if (!ieee80211_is_mgmt(hdr->frame_control) && tx->sta &&
144 + test_sta_flag(tx->sta, WLAN_STA_USES_ENCRYPTION)) {