aboutsummaryrefslogtreecommitdiffstats
path: root/package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch
diff options
context:
space:
mode:
authorJohn Crispin <john@phrozen.org>2018-08-02 08:44:29 +0200
committerJohn Crispin <john@phrozen.org>2018-09-26 16:35:33 +0200
commitd9eefa7a7031543571d434693c7f984dfbdc990d (patch)
tree73ac027ccf6cdb6fd209a83e7e25c3d0472d46b4 /package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch
parente9d92bf1e1af71ff19e4cdc753de3f65963c58a5 (diff)
downloadupstream-d9eefa7a7031543571d434693c7f984dfbdc990d.tar.gz
upstream-d9eefa7a7031543571d434693c7f984dfbdc990d.tar.bz2
upstream-d9eefa7a7031543571d434693c7f984dfbdc990d.zip
mac80211: rebase ontop of v4.18.5
Signed-off-by: John Crispin <john@phrozen.org>
Diffstat (limited to 'package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch')
-rw-r--r--package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch157
1 files changed, 0 insertions, 157 deletions
diff --git a/package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch b/package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch
deleted file mode 100644
index f25dea01d2..0000000000
--- a/package/kernel/mac80211/patches/323-v4.16-0001-brcmfmac-drop-Inter-Access-Point-Protocol-packets-by.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From 1259055170287a350cad453e9eac139c81609860 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
-Date: Thu, 15 Mar 2018 08:29:09 +0100
-Subject: [PATCH] brcmfmac: drop Inter-Access Point Protocol packets by default
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Testing brcmfmac with more recent firmwares resulted in AP interfaces
-not working in some specific setups. Debugging resulted in discovering
-support for IAPP in Broadcom's firmwares.
-
-Older firmwares were only generating 802.11f frames. Newer ones like:
-1) 10.10 (TOB) (r663589)
-2) 10.10.122.20 (r683106)
-for 4366b1 and 4366c0 respectively seem to also /respect/ 802.11f frames
-in the Tx path by performing a STA disassociation.
-
-This obsoleted standard and its implementation is something that:
-1) Most people don't need / want to use
-2) Can allow local DoS attacks
-3) Breaks AP interfaces in some specific bridge setups
-
-To solve issues it can cause this commit modifies brcmfmac to drop IAPP
-packets. If affects:
-1) Rx path: driver won't be sending these unwanted packets up.
-2) Tx path: driver will reject packets that would trigger STA
- disassociation perfromed by a firmware (possible local DoS attack).
-
-It appears there are some Broadcom's clients/users who care about this
-feature despite the drawbacks. They can switch it on using a new module
-param.
-
-This change results in only two more comparisons (check for module param
-and check for Ethernet packet length) for 99.9% of packets. Its overhead
-should be very minimal.
-
-Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
-Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/common.c | 5 ++
- .../wireless/broadcom/brcm80211/brcmfmac/common.h | 1 +
- .../wireless/broadcom/brcm80211/brcmfmac/core.c | 57 ++++++++++++++++++++++
- 3 files changed, 63 insertions(+)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-@@ -75,6 +75,10 @@ static int brcmf_roamoff;
- module_param_named(roamoff, brcmf_roamoff, int, S_IRUSR);
- MODULE_PARM_DESC(roamoff, "Do not use internal roaming engine");
-
-+static int brcmf_iapp_enable;
-+module_param_named(iapp, brcmf_iapp_enable, int, 0);
-+MODULE_PARM_DESC(iapp, "Enable partial support for the obsoleted Inter-Access Point Protocol");
-+
- #ifdef DEBUG
- /* always succeed brcmf_bus_started() */
- static int brcmf_ignore_probe_fail;
-@@ -441,6 +445,7 @@ struct brcmf_mp_device *brcmf_get_module
- settings->feature_disable = brcmf_feature_disable;
- settings->fcmode = brcmf_fcmode;
- settings->roamoff = !!brcmf_roamoff;
-+ settings->iapp = !!brcmf_iapp_enable;
- #ifdef DEBUG
- settings->ignore_probe_fail = !!brcmf_ignore_probe_fail;
- #endif
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-@@ -58,6 +58,7 @@ struct brcmf_mp_device {
- unsigned int feature_disable;
- int fcmode;
- bool roamoff;
-+ bool iapp;
- bool ignore_probe_fail;
- struct brcmfmac_pd_cc *country_codes;
- union {
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -230,6 +230,37 @@ static void brcmf_netdev_set_multicast_l
- schedule_work(&ifp->multicast_work);
- }
-
-+/**
-+ * brcmf_skb_is_iapp - checks if skb is an IAPP packet
-+ *
-+ * @skb: skb to check
-+ */
-+static bool brcmf_skb_is_iapp(struct sk_buff *skb)
-+{
-+ static const u8 iapp_l2_update_packet[6] __aligned(2) = {
-+ 0x00, 0x01, 0xaf, 0x81, 0x01, 0x00,
-+ };
-+ unsigned char *eth_data;
-+#if !defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-+ const u16 *a, *b;
-+#endif
-+
-+ if (skb->len - skb->mac_len != 6 ||
-+ !is_multicast_ether_addr(eth_hdr(skb)->h_dest))
-+ return false;
-+
-+ eth_data = skb_mac_header(skb) + ETH_HLEN;
-+#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
-+ return !(((*(const u32 *)eth_data) ^ (*(const u32 *)iapp_l2_update_packet)) |
-+ ((*(const u16 *)(eth_data + 4)) ^ (*(const u16 *)(iapp_l2_update_packet + 4))));
-+#else
-+ a = (const u16 *)eth_data;
-+ b = (const u16 *)iapp_l2_update_packet;
-+
-+ return !((a[0] ^ b[0]) | (a[1] ^ b[1]) | (a[2] ^ b[2]));
-+#endif
-+}
-+
- static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
- struct net_device *ndev)
- {
-@@ -250,6 +281,23 @@ static netdev_tx_t brcmf_netdev_start_xm
- goto done;
- }
-
-+ /* Some recent Broadcom's firmwares disassociate STA when they receive
-+ * an 802.11f ADD frame. This behavior can lead to a local DoS security
-+ * issue. Attacker may trigger disassociation of any STA by sending a
-+ * proper Ethernet frame to the wireless interface.
-+ *
-+ * Moreover this feature may break AP interfaces in some specific
-+ * setups. This applies e.g. to the bridge with hairpin mode enabled and
-+ * IFLA_BRPORT_MCAST_TO_UCAST set. IAPP packet generated by a firmware
-+ * will get passed back to the wireless interface and cause immediate
-+ * disassociation of a just-connected STA.
-+ */
-+ if (!drvr->settings->iapp && brcmf_skb_is_iapp(skb)) {
-+ dev_kfree_skb(skb);
-+ ret = -EINVAL;
-+ goto done;
-+ }
-+
- /* Make sure there's enough writeable headroom */
- if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
- head_delta = max_t(int, drvr->hdrlen - skb_headroom(skb), 0);
-@@ -325,6 +373,15 @@ void brcmf_txflowblock_if(struct brcmf_i
-
- void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
- {
-+ /* Most of Broadcom's firmwares send 802.11f ADD frame every time a new
-+ * STA connects to the AP interface. This is an obsoleted standard most
-+ * users don't use, so don't pass these frames up unless requested.
-+ */
-+ if (!ifp->drvr->settings->iapp && brcmf_skb_is_iapp(skb)) {
-+ brcmu_pkt_buf_free_skb(skb);
-+ return;
-+ }
-+
- if (skb->pkt_type == PACKET_MULTICAST)
- ifp->ndev->stats.multicast++;
-