From 32621086c3b0c641609580bdf83d4c731caa7f5e Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 29 Mar 2023 17:54:19 +0200 Subject: [PATCH] mac80211, mt76: add fixes for recently discovered security issues Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau (cherry picked from commit d54c91bd9ab3c54ee06923eafbd67047816a37e4) --- ...orrectly-mark-FTM-frames-non-buffera.patch | 145 +++++++++ ...mac80211-flush-queues-on-STA-removal.patch | 36 +++ ...i-mvm-support-flush-on-AP-interfaces.patch | 34 ++ ...3-wifi-mac80211-add-flush_sta-method.patch | 91 ++++++ ...ifi-mvm-support-new-flush_sta-method.patch | 53 +++ ...ss-the-dst-buffer-to-of_get_mac_addr.patch | 2 +- ...ix-encap-offload-ethernet-type-check.patch | 12 +- .../kernel/mt76/patches/110-api_update.patch | 11 + ...ifi-mt76-ignore-key-disable-commands.patch | 301 ++++++++++++++++++ 9 files changed, 676 insertions(+), 9 deletions(-) create mode 100644 package/kernel/mac80211/patches/subsys/410-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch create mode 100644 package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch create mode 100644 package/kernel/mac80211/patches/subsys/412-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch create mode 100644 package/kernel/mac80211/patches/subsys/413-wifi-mac80211-add-flush_sta-method.patch create mode 100644 package/kernel/mac80211/patches/subsys/414-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch create mode 100644 package/kernel/mt76/patches/110-api_update.patch create mode 100644 package/kernel/mt76/patches/120-wifi-mt76-ignore-key-disable-commands.patch diff --git a/package/kernel/mac80211/patches/subsys/410-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch b/package/kernel/mac80211/patches/subsys/410-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch new file mode 100644 index 0000000000..6f72c1d5ca --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/410-wifi-ieee80211-correctly-mark-FTM-frames-non-buffera.patch @@ -0,0 +1,145 @@ +From: Johannes Berg +Date: Wed, 29 Mar 2023 16:46:26 +0200 +Subject: [PATCH] wifi: ieee80211: correctly mark FTM frames non-bufferable + +The checks of whether or not a frame is bufferable were not +taking into account that some action frames aren't, such as +FTM. Check this, which requires some changes to the function +ieee80211_is_bufferable_mmpdu() since we need the whole skb +for the checks now. + +Signed-off-by: Johannes Berg +Reviewed-by: Greenman, Gregory +Reviewed-by: Peer, Ilan +--- + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -604,8 +604,9 @@ static void iwl_mvm_skb_prepare_status(s + + static int iwl_mvm_get_ctrl_vif_queue(struct iwl_mvm *mvm, + struct ieee80211_tx_info *info, +- struct ieee80211_hdr *hdr) ++ struct sk_buff *skb) + { ++ struct ieee80211_hdr *hdr = (void *)skb->data; + struct iwl_mvm_vif *mvmvif = + iwl_mvm_vif_from_mac80211(info->control.vif); + __le16 fc = hdr->frame_control; +@@ -624,7 +625,7 @@ static int iwl_mvm_get_ctrl_vif_queue(st + * reason 7 ("Class 3 frame received from nonassociated STA"). + */ + if (ieee80211_is_mgmt(fc) && +- (!ieee80211_is_bufferable_mmpdu(fc) || ++ (!ieee80211_is_bufferable_mmpdu(skb) || + ieee80211_is_deauth(fc) || ieee80211_is_disassoc(fc))) + return mvm->probe_queue; + +@@ -742,7 +743,7 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + else + sta_id = mvmvif->mcast_sta.sta_id; + +- queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info, hdr); ++ queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info, skb); + } else if (info.control.vif->type == NL80211_IFTYPE_MONITOR) { + queue = mvm->snif_queue; + sta_id = mvm->snif_sta.sta_id; +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -738,20 +738,6 @@ static inline bool ieee80211_is_any_null + } + + /** +- * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU +- * @fc: frame control field in little-endian byteorder +- */ +-static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc) +-{ +- /* IEEE 802.11-2012, definition of "bufferable management frame"; +- * note that this ignores the IBSS special case. */ +- return ieee80211_is_mgmt(fc) && +- (ieee80211_is_action(fc) || +- ieee80211_is_disassoc(fc) || +- ieee80211_is_deauth(fc)); +-} +- +-/** + * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set + * @seq_ctrl: frame sequence control bytes in little-endian byteorder + */ +@@ -3614,6 +3600,44 @@ static inline u8 *ieee80211_get_DA(struc + } + + /** ++ * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU ++ * @skb: the skb to check, starting with the 802.11 header ++ */ ++static inline bool ieee80211_is_bufferable_mmpdu(struct sk_buff *skb) ++{ ++ struct ieee80211_mgmt *mgmt = (void *)skb->data; ++ __le16 fc = mgmt->frame_control; ++ ++ /* ++ * IEEE 802.11 REVme D2.0 definition of bufferable MMPDU; ++ * note that this ignores the IBSS special case. ++ */ ++ if (!ieee80211_is_mgmt(fc)) ++ return false; ++ ++ if (ieee80211_is_disassoc(fc) || ieee80211_is_deauth(fc)) ++ return true; ++ ++ if (!ieee80211_is_action(fc)) ++ return false; ++ ++ if (skb->len < offsetofend(typeof(*mgmt), u.action.u.ftm.action_code)) ++ return true; ++ ++ /* action frame - additionally check for non-bufferable FTM */ ++ ++ if (mgmt->u.action.category != WLAN_CATEGORY_PUBLIC && ++ mgmt->u.action.category != WLAN_CATEGORY_PROTECTED_DUAL_OF_ACTION) ++ return true; ++ ++ if (mgmt->u.action.u.ftm.action_code == WLAN_PUB_ACTION_FTM_REQUEST || ++ mgmt->u.action.u.ftm.action_code == WLAN_PUB_ACTION_FTM) ++ return false; ++ ++ return true; ++} ++ ++/** + * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame + * @hdr: the frame (buffer must include at least the first octet of payload) + */ +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -501,7 +501,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee + int ac = skb_get_queue_mapping(tx->skb); + + if (ieee80211_is_mgmt(hdr->frame_control) && +- !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) { ++ !ieee80211_is_bufferable_mmpdu(tx->skb)) { + info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER; + return TX_CONTINUE; + } +@@ -1296,7 +1296,7 @@ static struct txq_info *ieee80211_get_tx + if (!(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) && + unlikely(!ieee80211_is_data_present(hdr->frame_control))) { + if ((!ieee80211_is_mgmt(hdr->frame_control) || +- ieee80211_is_bufferable_mmpdu(hdr->frame_control) || ++ ieee80211_is_bufferable_mmpdu(skb) || + vif->type == NL80211_IFTYPE_STATION) && + sta && sta->uploaded) { + /* +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -814,7 +814,7 @@ static void iwl_mvm_mac_tx(struct ieee80 + if ((info->control.vif->type == NL80211_IFTYPE_AP || + info->control.vif->type == NL80211_IFTYPE_ADHOC) && + ieee80211_is_mgmt(hdr->frame_control) && +- !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) ++ !ieee80211_is_bufferable_mmpdu(skb)) + sta = NULL; + + /* If there is no sta, and it's not offchannel - send through AP */ diff --git a/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch b/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch new file mode 100644 index 0000000000..0ad02585ae --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch @@ -0,0 +1,36 @@ +From: Johannes Berg +Date: Mon, 13 Mar 2023 11:42:12 +0100 +Subject: [PATCH] wifi: mac80211: flush queues on STA removal + +When we remove a station, we first make it unreachable, +then we (must) remove its keys, and then remove the +station itself. Depending on the hardware design, if +we have hardware crypto at all, frames still sitting +on hardware queues may then be transmitted without a +valid key, possibly unencrypted or with a fixed key. + +Fix this by flushing the queues when removing stations +so this cannot happen. + +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Reviewed-by: Greenman, Gregory +--- + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1066,6 +1066,14 @@ static void __sta_info_destroy_part2(str + WARN_ON_ONCE(ret); + } + ++ /* Flush queues before removing keys, as that might remove them ++ * from hardware, and then depending on the offload method, any ++ * frames sitting on hardware queues might be sent out without ++ * any encryption at all. ++ */ ++ if (local->ops->set_key) ++ ieee80211_flush_queues(local, sta->sdata, false); ++ + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); + diff --git a/package/kernel/mac80211/patches/subsys/412-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch b/package/kernel/mac80211/patches/subsys/412-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch new file mode 100644 index 0000000000..f2883fdbc8 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/412-wifi-iwlwifi-mvm-support-flush-on-AP-interfaces.patch @@ -0,0 +1,34 @@ +From: Johannes Berg +Date: Mon, 13 Mar 2023 12:02:58 +0100 +Subject: [PATCH] wifi: iwlwifi: mvm: support flush on AP interfaces + +Support TX flush on AP interfaces so that we will do a +proper flush for frames on the queue before keys are +removed. + +Signed-off-by: Johannes Berg +Reviewed-by: Greenman, Gregory +--- + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -4791,9 +4791,6 @@ static void iwl_mvm_mac_flush(struct iee + return; + } + +- if (vif->type != NL80211_IFTYPE_STATION) +- return; +- + /* Make sure we're done with the deferred traffic before flushing */ + flush_work(&mvm->add_stream_wk); + +@@ -4811,9 +4808,6 @@ static void iwl_mvm_mac_flush(struct iee + if (mvmsta->vif != vif) + continue; + +- /* make sure only TDLS peers or the AP are flushed */ +- WARN_ON(i != mvmvif->ap_sta_id && !sta->tdls); +- + if (drop) { + if (iwl_mvm_flush_sta(mvm, mvmsta, false)) + IWL_ERR(mvm, "flush request fail\n"); diff --git a/package/kernel/mac80211/patches/subsys/413-wifi-mac80211-add-flush_sta-method.patch b/package/kernel/mac80211/patches/subsys/413-wifi-mac80211-add-flush_sta-method.patch new file mode 100644 index 0000000000..4ec63ae883 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/413-wifi-mac80211-add-flush_sta-method.patch @@ -0,0 +1,91 @@ +From: Johannes Berg +Date: Mon, 13 Mar 2023 11:53:51 +0100 +Subject: [PATCH] wifi: mac80211: add flush_sta method + +Some drivers like iwlwifi might have per-STA queues, so we +may want to flush/drop just those queues rather than all +when removing a station. Add a separate method for that. + +Signed-off-by: Johannes Berg +Reviewed-by: Greenman, Gregory +--- + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -3661,6 +3661,10 @@ enum ieee80211_reconfig_type { + * Note that vif can be NULL. + * The callback can sleep. + * ++ * @flush_sta: Flush or drop all pending frames from the hardware queue(s) for ++ * the given station, as it's about to be removed. ++ * The callback can sleep. ++ * + * @channel_switch: Drivers that need (or want) to offload the channel + * switch operation for CSAs received from the AP may implement this + * callback. They must then call ieee80211_chswitch_done() to indicate +@@ -4065,6 +4069,8 @@ struct ieee80211_ops { + #endif + void (*flush)(struct ieee80211_hw *hw, struct ieee80211_vif *vif, + u32 queues, bool drop); ++ void (*flush_sta)(struct ieee80211_hw *hw, struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta); + void (*channel_switch)(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + struct ieee80211_channel_switch *ch_switch); +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -639,6 +639,21 @@ static inline void drv_flush(struct ieee + trace_drv_return_void(local); + } + ++static inline void drv_flush_sta(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ struct sta_info *sta) ++{ ++ might_sleep(); ++ ++ if (sdata && !check_sdata_in_driver(sdata)) ++ return; ++ ++ trace_drv_flush_sta(local, sdata, &sta->sta); ++ if (local->ops->flush_sta) ++ local->ops->flush_sta(&local->hw, &sdata->vif, &sta->sta); ++ trace_drv_return_void(local); ++} ++ + static inline void drv_channel_switch(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, + struct ieee80211_channel_switch *ch_switch) +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1071,8 +1071,12 @@ static void __sta_info_destroy_part2(str + * frames sitting on hardware queues might be sent out without + * any encryption at all. + */ +- if (local->ops->set_key) +- ieee80211_flush_queues(local, sta->sdata, false); ++ if (local->ops->set_key) { ++ if (local->ops->flush_sta) ++ drv_flush_sta(local, sta->sdata, sta); ++ else ++ ieee80211_flush_queues(local, sta->sdata, false); ++ } + + /* now keys can no longer be reached */ + ieee80211_free_sta_keys(local, sta); +--- a/net/mac80211/trace.h ++++ b/net/mac80211/trace.h +@@ -1140,6 +1140,13 @@ TRACE_EVENT(drv_flush, + ) + ); + ++DEFINE_EVENT(sta_event, drv_flush_sta, ++ TP_PROTO(struct ieee80211_local *local, ++ struct ieee80211_sub_if_data *sdata, ++ struct ieee80211_sta *sta), ++ TP_ARGS(local, sdata, sta) ++); ++ + TRACE_EVENT(drv_channel_switch, + TP_PROTO(struct ieee80211_local *local, + struct ieee80211_sub_if_data *sdata, diff --git a/package/kernel/mac80211/patches/subsys/414-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch b/package/kernel/mac80211/patches/subsys/414-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch new file mode 100644 index 0000000000..b52bbe50b8 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/414-wifi-iwlwifi-mvm-support-new-flush_sta-method.patch @@ -0,0 +1,53 @@ +From: Johannes Berg +Date: Mon, 13 Mar 2023 12:05:35 +0100 +Subject: [PATCH] wifi: iwlwifi: mvm: support new flush_sta method + +For iwlwifi this is simple to implement, and on newer hardware +it's an improvement since we have per-station queues. + +Signed-off-by: Johannes Berg +Reviewed-by: Greenman, Gregory +--- + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -4827,6 +4827,31 @@ static void iwl_mvm_mac_flush(struct iee + iwl_trans_wait_tx_queues_empty(mvm->trans, msk); + } + ++static void iwl_mvm_mac_flush_sta(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta) ++{ ++ struct iwl_mvm *mvm = IWL_MAC80211_GET_MVM(hw); ++ int i; ++ ++ mutex_lock(&mvm->mutex); ++ for (i = 0; i < mvm->fw->ucode_capa.num_stations; i++) { ++ struct iwl_mvm_sta *mvmsta; ++ struct ieee80211_sta *tmp; ++ ++ tmp = rcu_dereference_protected(mvm->fw_id_to_mac_id[i], ++ lockdep_is_held(&mvm->mutex)); ++ if (tmp != sta) ++ continue; ++ ++ mvmsta = iwl_mvm_sta_from_mac80211(sta); ++ ++ if (iwl_mvm_flush_sta(mvm, mvmsta, false)) ++ IWL_ERR(mvm, "flush request fail\n"); ++ } ++ mutex_unlock(&mvm->mutex); ++} ++ + static int iwl_mvm_mac_get_survey(struct ieee80211_hw *hw, int idx, + struct survey_info *survey) + { +@@ -5296,6 +5321,7 @@ const struct ieee80211_ops iwl_mvm_hw_op + .mgd_prepare_tx = iwl_mvm_mac_mgd_prepare_tx, + .mgd_protect_tdls_discover = iwl_mvm_mac_mgd_protect_tdls_discover, + .flush = iwl_mvm_mac_flush, ++ .flush_sta = iwl_mvm_mac_flush_sta, + .sched_scan_start = iwl_mvm_mac_sched_scan_start, + .sched_scan_stop = iwl_mvm_mac_sched_scan_stop, + .set_key = iwl_mvm_mac_set_key, diff --git a/package/kernel/mt76/patches/100-Revert-of-net-pass-the-dst-buffer-to-of_get_mac_addr.patch b/package/kernel/mt76/patches/100-Revert-of-net-pass-the-dst-buffer-to-of_get_mac_addr.patch index 24b1240548..ede3cca1f0 100644 --- a/package/kernel/mt76/patches/100-Revert-of-net-pass-the-dst-buffer-to-of_get_mac_addr.patch +++ b/package/kernel/mt76/patches/100-Revert-of-net-pass-the-dst-buffer-to-of_get_mac_addr.patch @@ -7,7 +7,7 @@ This reverts commit 4932c5d80153c336c77dbe8d7af9f8fdd879d01f. --- a/eeprom.c +++ b/eeprom.c -@@ -105,9 +105,15 @@ mt76_eeprom_override(struct mt76_phy *ph +@@ -107,9 +107,15 @@ mt76_eeprom_override(struct mt76_phy *ph { struct mt76_dev *dev = phy->dev; diff --git a/package/kernel/mt76/patches/101-fix-encap-offload-ethernet-type-check.patch b/package/kernel/mt76/patches/101-fix-encap-offload-ethernet-type-check.patch index d81aa4dfa3..d3deee42ce 100644 --- a/package/kernel/mt76/patches/101-fix-encap-offload-ethernet-type-check.patch +++ b/package/kernel/mt76/patches/101-fix-encap-offload-ethernet-type-check.patch @@ -17,11 +17,9 @@ Signed-off-by: Felix Fietkau drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) -diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c -index 5f4a0e811137..e353e8c44d6c 100644 --- a/mt7915/mac.c +++ b/mt7915/mac.c -@@ -1016,6 +1016,7 @@ mt7915_mac_write_txwi_8023(struct mt7915_dev *dev, __le32 *txwi, +@@ -977,6 +977,7 @@ mt7915_mac_write_txwi_8023(struct mt7915 u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; u8 fc_type, fc_stype; @@ -29,7 +27,7 @@ index 5f4a0e811137..e353e8c44d6c 100644 bool wmm = false; u32 val; -@@ -1029,7 +1030,8 @@ mt7915_mac_write_txwi_8023(struct mt7915_dev *dev, __le32 *txwi, +@@ -990,7 +991,8 @@ mt7915_mac_write_txwi_8023(struct mt7915 val = FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_802_3) | FIELD_PREP(MT_TXD1_TID, tid); @@ -39,11 +37,9 @@ index 5f4a0e811137..e353e8c44d6c 100644 val |= MT_TXD1_ETH_802_3; txwi[1] |= cpu_to_le32(val); -diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mac.c b/drivers/net/wireless/mediatek/mt76/mt7921/mac.c -index 368e54c53ddd..ac11e8b28f13 100644 --- a/mt7921/mac.c +++ b/mt7921/mac.c -@@ -814,6 +814,7 @@ mt7921_mac_write_txwi_8023(struct mt7921_dev *dev, __le32 *txwi, +@@ -811,6 +811,7 @@ mt7921_mac_write_txwi_8023(struct mt7921 { u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK; u8 fc_type, fc_stype; @@ -51,7 +47,7 @@ index 368e54c53ddd..ac11e8b28f13 100644 bool wmm = false; u32 val; -@@ -827,7 +828,8 @@ mt7921_mac_write_txwi_8023(struct mt7921_dev *dev, __le32 *txwi, +@@ -824,7 +825,8 @@ mt7921_mac_write_txwi_8023(struct mt7921 val = FIELD_PREP(MT_TXD1_HDR_FORMAT, MT_HDR_FORMAT_802_3) | FIELD_PREP(MT_TXD1_TID, tid); diff --git a/package/kernel/mt76/patches/110-api_update.patch b/package/kernel/mt76/patches/110-api_update.patch new file mode 100644 index 0000000000..a42277704e --- /dev/null +++ b/package/kernel/mt76/patches/110-api_update.patch @@ -0,0 +1,11 @@ +--- a/tx.c ++++ b/tx.c +@@ -326,7 +326,7 @@ mt76_tx(struct mt76_phy *phy, struct iee + if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) && + !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) && + !ieee80211_is_data(hdr->frame_control) && +- !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) { ++ !ieee80211_is_bufferable_mmpdu(skb)) { + qid = MT_TXQ_PSD; + skb_set_queue_mapping(skb, qid); + } diff --git a/package/kernel/mt76/patches/120-wifi-mt76-ignore-key-disable-commands.patch b/package/kernel/mt76/patches/120-wifi-mt76-ignore-key-disable-commands.patch new file mode 100644 index 0000000000..3f97de916e --- /dev/null +++ b/package/kernel/mt76/patches/120-wifi-mt76-ignore-key-disable-commands.patch @@ -0,0 +1,301 @@ +From: Felix Fietkau +Date: Wed, 22 Mar 2023 10:17:49 +0100 +Subject: [PATCH] wifi: mt76: ignore key disable commands + +This helps avoid cleartext leakage of already queued or powersave buffered +packets, when a reassoc triggers the key deletion. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +--- + +--- a/mt7603/main.c ++++ b/mt7603/main.c +@@ -512,15 +512,15 @@ mt7603_set_key(struct ieee80211_hw *hw, + !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) + return -EOPNOTSUPP; + +- if (cmd == SET_KEY) { +- key->hw_key_idx = wcid->idx; +- wcid->hw_key_idx = idx; +- } else { ++ if (cmd != SET_KEY) { + if (idx == wcid->hw_key_idx) + wcid->hw_key_idx = -1; + +- key = NULL; ++ return 0; + } ++ ++ key->hw_key_idx = wcid->idx; ++ wcid->hw_key_idx = idx; + mt76_wcid_key_setup(&dev->mt76, wcid, key); + + return mt7603_wtbl_set_key(dev, wcid->idx, key); +--- a/mt7615/mac.c ++++ b/mt7615/mac.c +@@ -1231,8 +1231,7 @@ EXPORT_SYMBOL_GPL(mt7615_mac_set_rates); + static int + mt7615_mac_wtbl_update_key(struct mt7615_dev *dev, struct mt76_wcid *wcid, + struct ieee80211_key_conf *key, +- enum mt76_cipher_type cipher, u16 cipher_mask, +- enum set_key_cmd cmd) ++ enum mt76_cipher_type cipher, u16 cipher_mask) + { + u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx) + 30 * 4; + u8 data[32] = {}; +@@ -1241,27 +1240,18 @@ mt7615_mac_wtbl_update_key(struct mt7615 + return -EINVAL; + + mt76_rr_copy(dev, addr, data, sizeof(data)); +- if (cmd == SET_KEY) { +- if (cipher == MT_CIPHER_TKIP) { +- /* Rx/Tx MIC keys are swapped */ +- memcpy(data, key->key, 16); +- memcpy(data + 16, key->key + 24, 8); +- memcpy(data + 24, key->key + 16, 8); +- } else { +- if (cipher_mask == BIT(cipher)) +- memcpy(data, key->key, key->keylen); +- else if (cipher != MT_CIPHER_BIP_CMAC_128) +- memcpy(data, key->key, 16); +- if (cipher == MT_CIPHER_BIP_CMAC_128) +- memcpy(data + 16, key->key, 16); +- } ++ if (cipher == MT_CIPHER_TKIP) { ++ /* Rx/Tx MIC keys are swapped */ ++ memcpy(data, key->key, 16); ++ memcpy(data + 16, key->key + 24, 8); ++ memcpy(data + 24, key->key + 16, 8); + } else { ++ if (cipher_mask == BIT(cipher)) ++ memcpy(data, key->key, key->keylen); ++ else if (cipher != MT_CIPHER_BIP_CMAC_128) ++ memcpy(data, key->key, 16); + if (cipher == MT_CIPHER_BIP_CMAC_128) +- memset(data + 16, 0, 16); +- else if (cipher_mask) +- memset(data, 0, 16); +- if (!cipher_mask) +- memset(data, 0, sizeof(data)); ++ memcpy(data + 16, key->key, 16); + } + + mt76_wr_copy(dev, addr, data, sizeof(data)); +@@ -1272,7 +1262,7 @@ mt7615_mac_wtbl_update_key(struct mt7615 + static int + mt7615_mac_wtbl_update_pk(struct mt7615_dev *dev, struct mt76_wcid *wcid, + enum mt76_cipher_type cipher, u16 cipher_mask, +- int keyidx, enum set_key_cmd cmd) ++ int keyidx) + { + u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx), w0, w1; + +@@ -1291,9 +1281,7 @@ mt7615_mac_wtbl_update_pk(struct mt7615_ + else + w0 &= ~MT_WTBL_W0_RX_IK_VALID; + +- if (cmd == SET_KEY && +- (cipher != MT_CIPHER_BIP_CMAC_128 || +- cipher_mask == BIT(cipher))) { ++ if (cipher != MT_CIPHER_BIP_CMAC_128 || cipher_mask == BIT(cipher)) { + w0 &= ~MT_WTBL_W0_KEY_IDX; + w0 |= FIELD_PREP(MT_WTBL_W0_KEY_IDX, keyidx); + } +@@ -1310,19 +1298,10 @@ mt7615_mac_wtbl_update_pk(struct mt7615_ + + static void + mt7615_mac_wtbl_update_cipher(struct mt7615_dev *dev, struct mt76_wcid *wcid, +- enum mt76_cipher_type cipher, u16 cipher_mask, +- enum set_key_cmd cmd) ++ enum mt76_cipher_type cipher, u16 cipher_mask) + { + u32 addr = mt7615_mac_wtbl_addr(dev, wcid->idx); + +- if (!cipher_mask) { +- mt76_clear(dev, addr + 2 * 4, MT_WTBL_W2_KEY_TYPE); +- return; +- } +- +- if (cmd != SET_KEY) +- return; +- + if (cipher == MT_CIPHER_BIP_CMAC_128 && + cipher_mask & ~BIT(MT_CIPHER_BIP_CMAC_128)) + return; +@@ -1333,8 +1312,7 @@ mt7615_mac_wtbl_update_cipher(struct mt7 + + int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, + struct mt76_wcid *wcid, +- struct ieee80211_key_conf *key, +- enum set_key_cmd cmd) ++ struct ieee80211_key_conf *key) + { + enum mt76_cipher_type cipher; + u16 cipher_mask = wcid->cipher; +@@ -1344,19 +1322,14 @@ int __mt7615_mac_wtbl_set_key(struct mt7 + if (cipher == MT_CIPHER_NONE) + return -EOPNOTSUPP; + +- if (cmd == SET_KEY) +- cipher_mask |= BIT(cipher); +- else +- cipher_mask &= ~BIT(cipher); +- +- mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask, cmd); +- err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask, +- cmd); ++ cipher_mask |= BIT(cipher); ++ mt7615_mac_wtbl_update_cipher(dev, wcid, cipher, cipher_mask); ++ err = mt7615_mac_wtbl_update_key(dev, wcid, key, cipher, cipher_mask); + if (err < 0) + return err; + + err = mt7615_mac_wtbl_update_pk(dev, wcid, cipher, cipher_mask, +- key->keyidx, cmd); ++ key->keyidx); + if (err < 0) + return err; + +@@ -1367,13 +1340,12 @@ int __mt7615_mac_wtbl_set_key(struct mt7 + + int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, + struct mt76_wcid *wcid, +- struct ieee80211_key_conf *key, +- enum set_key_cmd cmd) ++ struct ieee80211_key_conf *key) + { + int err; + + spin_lock_bh(&dev->mt76.lock); +- err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd); ++ err = __mt7615_mac_wtbl_set_key(dev, wcid, key); + spin_unlock_bh(&dev->mt76.lock); + + return err; +--- a/mt7615/main.c ++++ b/mt7615/main.c +@@ -405,18 +405,17 @@ static int mt7615_set_key(struct ieee802 + + if (cmd == SET_KEY) + *wcid_keyidx = idx; +- else if (idx == *wcid_keyidx) +- *wcid_keyidx = -1; +- else ++ else { ++ if (idx == *wcid_keyidx) ++ *wcid_keyidx = -1; + goto out; ++ } + +- mt76_wcid_key_setup(&dev->mt76, wcid, +- cmd == SET_KEY ? key : NULL); +- ++ mt76_wcid_key_setup(&dev->mt76, wcid, key); + if (mt76_is_mmio(&dev->mt76)) +- err = mt7615_mac_wtbl_set_key(dev, wcid, key, cmd); ++ err = mt7615_mac_wtbl_set_key(dev, wcid, key); + else +- err = __mt7615_mac_wtbl_set_key(dev, wcid, key, cmd); ++ err = __mt7615_mac_wtbl_set_key(dev, wcid, key); + + out: + mt7615_mutex_release(dev); +--- a/mt7615/mt7615.h ++++ b/mt7615/mt7615.h +@@ -502,11 +502,9 @@ int mt7615_mac_write_txwi(struct mt7615_ + void mt7615_mac_set_timing(struct mt7615_phy *phy); + int __mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, + struct mt76_wcid *wcid, +- struct ieee80211_key_conf *key, +- enum set_key_cmd cmd); ++ struct ieee80211_key_conf *key); + int mt7615_mac_wtbl_set_key(struct mt7615_dev *dev, struct mt76_wcid *wcid, +- struct ieee80211_key_conf *key, +- enum set_key_cmd cmd); ++ struct ieee80211_key_conf *key); + void mt7615_mac_reset_work(struct work_struct *work); + u32 mt7615_mac_get_sta_tid_sn(struct mt7615_dev *dev, int wcid, u8 tid); + +--- a/mt76x02_util.c ++++ b/mt76x02_util.c +@@ -453,20 +453,20 @@ int mt76x02_set_key(struct ieee80211_hw + msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL; + wcid = msta ? &msta->wcid : &mvif->group_wcid; + +- if (cmd == SET_KEY) { +- key->hw_key_idx = wcid->idx; +- wcid->hw_key_idx = idx; +- if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) { +- key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX; +- wcid->sw_iv = true; +- } +- } else { ++ if (cmd != SET_KEY) { + if (idx == wcid->hw_key_idx) { + wcid->hw_key_idx = -1; + wcid->sw_iv = false; + } + +- key = NULL; ++ return 0; ++ } ++ ++ key->hw_key_idx = wcid->idx; ++ wcid->hw_key_idx = idx; ++ if (key->flags & IEEE80211_KEY_FLAG_RX_MGMT) { ++ key->flags |= IEEE80211_KEY_FLAG_SW_MGMT_TX; ++ wcid->sw_iv = true; + } + mt76_wcid_key_setup(&dev->mt76, wcid, key); + +--- a/mt7915/main.c ++++ b/mt7915/main.c +@@ -405,16 +405,15 @@ static int mt7915_set_key(struct ieee802 + + mutex_lock(&dev->mt76.mutex); + +- if (cmd == SET_KEY) ++ if (cmd == SET_KEY) { + *wcid_keyidx = idx; +- else if (idx == *wcid_keyidx) +- *wcid_keyidx = -1; +- else ++ } else { ++ if (idx == *wcid_keyidx) ++ *wcid_keyidx = -1; + goto out; ++ } + +- mt76_wcid_key_setup(&dev->mt76, wcid, +- cmd == SET_KEY ? key : NULL); +- ++ mt76_wcid_key_setup(&dev->mt76, wcid, key); + err = mt7915_mcu_add_key(dev, vif, msta, key, cmd); + + out: +--- a/mt7921/main.c ++++ b/mt7921/main.c +@@ -441,16 +441,15 @@ static int mt7921_set_key(struct ieee802 + + mt7921_mutex_acquire(dev); + +- if (cmd == SET_KEY) ++ if (cmd == SET_KEY) { + *wcid_keyidx = idx; +- else if (idx == *wcid_keyidx) +- *wcid_keyidx = -1; +- else ++ } else { ++ if (idx == *wcid_keyidx) ++ *wcid_keyidx = -1; + goto out; ++ } + +- mt76_wcid_key_setup(&dev->mt76, wcid, +- cmd == SET_KEY ? key : NULL); +- ++ mt76_wcid_key_setup(&dev->mt76, wcid, key); + err = mt7921_mcu_add_key(dev, vif, msta, key, cmd); + if (err) + goto out; -- 2.30.2