mac80211: Update to backports-5.10.68
Refresh all patches. The removed patches were integrated upstream. This contains fixes for CVE-2020-3702 1. These patches (ath, ath9k, mac80211) were included in kernel versions since 4.14.245 and 4.19.205. They fix security vulnerability CVE-2020-3702 [1] similar to KrØØk, which was found by ESET [2]. Thank you Josef Schlehofer for reporting this problem. [1] https://nvd.nist.gov/vuln/detail/CVE-2020-3702 [2] https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/ Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This commit is contained in:
Hauke Mehrtens
@@ -132,7 +132,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
#endif /* __MAC80211_DRIVER_OPS */
|
||||
--- a/net/mac80211/iface.c
|
||||
+++ b/net/mac80211/iface.c
|
||||
@@ -835,7 +835,7 @@ static const struct net_device_ops ieee8
|
||||
@@ -856,7 +856,7 @@ static const struct net_device_ops ieee8
|
||||
|
||||
};
|
||||
|
||||
@@ -141,7 +141,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
{
|
||||
switch (iftype) {
|
||||
/* P2P GO and client are mapped to AP/STATION types */
|
||||
@@ -855,7 +855,7 @@ static bool ieee80211_set_sdata_offload_
|
||||
@@ -876,7 +876,7 @@ static bool ieee80211_set_sdata_offload_
|
||||
flags = sdata->vif.offload_flags;
|
||||
|
||||
if (ieee80211_hw_check(&local->hw, SUPPORTS_TX_ENCAP_OFFLOAD) &&
|
||||
@@ -150,7 +150,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
flags |= IEEE80211_OFFLOAD_ENCAP_ENABLED;
|
||||
|
||||
if (!ieee80211_hw_check(&local->hw, SUPPORTS_TX_FRAG) &&
|
||||
@@ -868,10 +868,21 @@ static bool ieee80211_set_sdata_offload_
|
||||
@@ -889,10 +889,21 @@ static bool ieee80211_set_sdata_offload_
|
||||
flags &= ~IEEE80211_OFFLOAD_ENCAP_ENABLED;
|
||||
}
|
||||
|
||||
@@ -172,7 +172,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -889,7 +900,7 @@ static void ieee80211_set_vif_encap_ops(
|
||||
@@ -910,7 +921,7 @@ static void ieee80211_set_vif_encap_ops(
|
||||
}
|
||||
|
||||
if (!ieee80211_hw_check(&local->hw, SUPPORTS_TX_ENCAP_OFFLOAD) ||
|
||||
@@ -183,7 +183,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
enabled = bss->vif.offload_flags & IEEE80211_OFFLOAD_ENCAP_ENABLED;
|
||||
--- a/net/mac80211/rx.c
|
||||
+++ b/net/mac80211/rx.c
|
||||
@@ -4198,7 +4198,9 @@ void ieee80211_check_fast_rx(struct sta_
|
||||
@@ -4195,7 +4195,9 @@ void ieee80211_check_fast_rx(struct sta_
|
||||
.vif_type = sdata->vif.type,
|
||||
.control_port_protocol = sdata->control_port_protocol,
|
||||
}, *old, *new = NULL;
|
||||
@@ -193,7 +193,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
|
||||
/* use sparse to check that we don't return without updating */
|
||||
__acquire(check_fast_rx);
|
||||
@@ -4311,6 +4313,17 @@ void ieee80211_check_fast_rx(struct sta_
|
||||
@@ -4308,6 +4310,17 @@ void ieee80211_check_fast_rx(struct sta_
|
||||
if (assign)
|
||||
new = kmemdup(&fastrx, sizeof(fastrx), GFP_KERNEL);
|
||||
|
||||
@@ -211,7 +211,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
spin_lock_bh(&sta->lock);
|
||||
old = rcu_dereference_protected(sta->fast_rx, true);
|
||||
rcu_assign_pointer(sta->fast_rx, new);
|
||||
@@ -4357,6 +4370,108 @@ void ieee80211_check_fast_rx_iface(struc
|
||||
@@ -4354,6 +4367,108 @@ void ieee80211_check_fast_rx_iface(struc
|
||||
mutex_unlock(&local->sta_mtx);
|
||||
}
|
||||
|
||||
@@ -320,7 +320,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
|
||||
struct ieee80211_fast_rx *fast_rx)
|
||||
{
|
||||
@@ -4377,9 +4492,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
@@ -4374,9 +4489,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
} addrs __aligned(2);
|
||||
struct ieee80211_sta_rx_stats *stats = &sta->rx_stats;
|
||||
|
||||
@@ -330,7 +330,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
/* for parallel-rx, we need to have DUP_VALIDATED, otherwise we write
|
||||
* to a common data structure; drivers can implement that per queue
|
||||
* but we don't have that information in mac80211
|
||||
@@ -4453,32 +4565,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
@@ -4450,32 +4562,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
pskb_trim(skb, skb->len - fast_rx->icv_len))
|
||||
goto drop;
|
||||
|
||||
@@ -363,7 +363,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
if (rx->key && !ieee80211_has_protected(hdr->frame_control))
|
||||
goto drop;
|
||||
|
||||
@@ -4490,12 +4576,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
@@ -4487,12 +4573,6 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -376,7 +376,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
/* do the header conversion - first grab the addresses */
|
||||
ether_addr_copy(addrs.da, skb->data + fast_rx->da_offs);
|
||||
ether_addr_copy(addrs.sa, skb->data + fast_rx->sa_offs);
|
||||
@@ -4504,62 +4584,14 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
@@ -4501,62 +4581,14 @@ static bool ieee80211_invoke_fast_rx(str
|
||||
/* push the addresses in front */
|
||||
memcpy(skb_push(skb, sizeof(addrs)), &addrs, sizeof(addrs));
|
||||
|
||||
@@ -443,7 +443,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
stats->dropped++;
|
||||
return true;
|
||||
}
|
||||
@@ -4613,6 +4645,47 @@ static bool ieee80211_prepare_and_rx_han
|
||||
@@ -4610,6 +4642,47 @@ static bool ieee80211_prepare_and_rx_han
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -491,7 +491,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
/*
|
||||
* This is the actual Rx frames handler. as it belongs to Rx path it must
|
||||
* be called with rcu_read_lock protection.
|
||||
@@ -4850,15 +4923,20 @@ void ieee80211_rx_list(struct ieee80211_
|
||||
@@ -4847,15 +4920,20 @@ void ieee80211_rx_list(struct ieee80211_
|
||||
* if it was previously present.
|
||||
* Also, frames with less than 16 bytes are dropped.
|
||||
*/
|
||||
|
||||
Reference in New Issue
Block a user