diff options
author | Hauke Mehrtens <hauke@hauke-m.de> | 2021-06-05 18:21:57 +0200 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2021-06-06 17:49:40 +0200 |
commit | 04a260911ca0f10a0e37c487c220e1aae3623dda (patch) | |
tree | 1c061dbdfea12c58743d088bf20937d2abc0f605 /package/kernel/mac80211/patches/ath10k | |
parent | 3c46ba053d899df65dc07e373c64d1925d30f88e (diff) | |
download | upstream-04a260911ca0f10a0e37c487c220e1aae3623dda.tar.gz upstream-04a260911ca0f10a0e37c487c220e1aae3623dda.tar.bz2 upstream-04a260911ca0f10a0e37c487c220e1aae3623dda.zip |
mac80211: Update to backports-5.10.42
The removed patches were integrated upstream.
The brcmf_driver_work workqueue was removed in brcmfmac with kernel
5.10.42, the asynchronous call was covered to a synchronous call. There
is no need to wait any more.
This part was removed manually from this patch:
brcm/860-brcmfmac-register-wiphy-s-during-module_init.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/kernel/mac80211/patches/ath10k')
8 files changed, 3 insertions, 500 deletions
diff --git a/package/kernel/mac80211/patches/ath10k/080-ath10k_thermal_config.patch b/package/kernel/mac80211/patches/ath10k/080-ath10k_thermal_config.patch index 55d48daa79..d183419a47 100644 --- a/package/kernel/mac80211/patches/ath10k/080-ath10k_thermal_config.patch +++ b/package/kernel/mac80211/patches/ath10k/080-ath10k_thermal_config.patch @@ -37,7 +37,7 @@ void ath10k_thermal_event_temperature(struct ath10k *ar, int temperature); --- a/local-symbols +++ b/local-symbols -@@ -143,6 +143,7 @@ ATH10K_SNOC= +@@ -144,6 +144,7 @@ ATH10K_SNOC= ATH10K_DEBUG= ATH10K_DEBUGFS= ATH10K_SPECTRAL= diff --git a/package/kernel/mac80211/patches/ath10k/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch b/package/kernel/mac80211/patches/ath10k/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch deleted file mode 100644 index 0ce49b22ab..0000000000 --- a/package/kernel/mac80211/patches/ath10k/300-ath10k-add-CCMP-PN-replay-protection-for-fragmented-.patch +++ /dev/null @@ -1,180 +0,0 @@ -From: Wen Gong <wgong@codeaurora.org> -Date: Tue, 11 May 2021 20:02:52 +0200 -Subject: [PATCH] ath10k: add CCMP PN replay protection for fragmented - frames for PCIe - -PN replay check for not fragmented frames is finished in the firmware, -but this was not done for fragmented frames when ath10k is used with -QCA6174/QCA6377 PCIe. mac80211 has the function -ieee80211_rx_h_defragment() for PN replay check for fragmented frames, -but this does not get checked with QCA6174 due to the -ieee80211_has_protected() condition not matching the cleared Protected -bit case. - -Validate the PN of received fragmented frames within ath10k when CCMP is -used and drop the fragment if the PN is not correct (incremented by -exactly one from the previous fragment). This applies only for -QCA6174/QCA6377 PCIe. - -Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 - -Cc: stable@vger.kernel.org -Signed-off-by: Wen Gong <wgong@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt.h -+++ b/drivers/net/wireless/ath/ath10k/htt.h -@@ -846,6 +846,7 @@ enum htt_security_types { - - #define ATH10K_HTT_TXRX_PEER_SECURITY_MAX 2 - #define ATH10K_TXRX_NUM_EXT_TIDS 19 -+#define ATH10K_TXRX_NON_QOS_TID 16 - - enum htt_security_flags { - #define HTT_SECURITY_TYPE_MASK 0x7F ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -1746,16 +1746,87 @@ static void ath10k_htt_rx_h_csum_offload - msdu->ip_summed = ath10k_htt_rx_get_csum_state(msdu); - } - -+static u64 ath10k_htt_rx_h_get_pn(struct ath10k *ar, struct sk_buff *skb, -+ u16 offset, -+ enum htt_rx_mpdu_encrypt_type enctype) -+{ -+ struct ieee80211_hdr *hdr; -+ u64 pn = 0; -+ u8 *ehdr; -+ -+ hdr = (struct ieee80211_hdr *)(skb->data + offset); -+ ehdr = skb->data + offset + ieee80211_hdrlen(hdr->frame_control); -+ -+ if (enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) { -+ pn = ehdr[0]; -+ pn |= (u64)ehdr[1] << 8; -+ pn |= (u64)ehdr[4] << 16; -+ pn |= (u64)ehdr[5] << 24; -+ pn |= (u64)ehdr[6] << 32; -+ pn |= (u64)ehdr[7] << 40; -+ } -+ return pn; -+} -+ -+static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar, -+ struct sk_buff *skb, -+ u16 peer_id, -+ u16 offset, -+ enum htt_rx_mpdu_encrypt_type enctype) -+{ -+ struct ath10k_peer *peer; -+ union htt_rx_pn_t *last_pn, new_pn = {0}; -+ struct ieee80211_hdr *hdr; -+ bool more_frags; -+ u8 tid, frag_number; -+ u32 seq; -+ -+ peer = ath10k_peer_find_by_id(ar, peer_id); -+ if (!peer) { -+ ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid peer for frag pn check\n"); -+ return false; -+ } -+ -+ hdr = (struct ieee80211_hdr *)(skb->data + offset); -+ if (ieee80211_is_data_qos(hdr->frame_control)) -+ tid = ieee80211_get_tid(hdr); -+ else -+ tid = ATH10K_TXRX_NON_QOS_TID; -+ -+ last_pn = &peer->frag_tids_last_pn[tid]; -+ new_pn.pn48 = ath10k_htt_rx_h_get_pn(ar, skb, offset, enctype); -+ more_frags = ieee80211_has_morefrags(hdr->frame_control); -+ frag_number = le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_FRAG; -+ seq = (__le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_SEQ) >> 4; -+ -+ if (frag_number == 0) { -+ last_pn->pn48 = new_pn.pn48; -+ peer->frag_tids_seq[tid] = seq; -+ } else { -+ if (seq != peer->frag_tids_seq[tid]) -+ return false; -+ -+ if (new_pn.pn48 != last_pn->pn48 + 1) -+ return false; -+ -+ last_pn->pn48 = new_pn.pn48; -+ } -+ -+ return true; -+} -+ - static void ath10k_htt_rx_h_mpdu(struct ath10k *ar, - struct sk_buff_head *amsdu, - struct ieee80211_rx_status *status, - bool fill_crypt_header, - u8 *rx_hdr, -- enum ath10k_pkt_rx_err *err) -+ enum ath10k_pkt_rx_err *err, -+ u16 peer_id, -+ bool frag) - { - struct sk_buff *first; - struct sk_buff *last; -- struct sk_buff *msdu; -+ struct sk_buff *msdu, *temp; - struct htt_rx_desc *rxd; - struct ieee80211_hdr *hdr; - enum htt_rx_mpdu_encrypt_type enctype; -@@ -1768,6 +1839,7 @@ static void ath10k_htt_rx_h_mpdu(struct - bool is_decrypted; - bool is_mgmt; - u32 attention; -+ bool frag_pn_check = true; - - if (skb_queue_empty(amsdu)) - return; -@@ -1866,6 +1938,24 @@ static void ath10k_htt_rx_h_mpdu(struct - } - - skb_queue_walk(amsdu, msdu) { -+ if (frag && !fill_crypt_header && is_decrypted && -+ enctype == HTT_RX_MPDU_ENCRYPT_AES_CCM_WPA2) -+ frag_pn_check = ath10k_htt_rx_h_frag_pn_check(ar, -+ msdu, -+ peer_id, -+ 0, -+ enctype); -+ -+ if (!frag_pn_check) { -+ /* Discard the fragment with invalid PN */ -+ temp = msdu->prev; -+ __skb_unlink(msdu, amsdu); -+ dev_kfree_skb_any(msdu); -+ msdu = temp; -+ frag_pn_check = true; -+ continue; -+ } -+ - ath10k_htt_rx_h_csum_offload(msdu); - ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, - is_decrypted); -@@ -2071,7 +2161,8 @@ static int ath10k_htt_rx_handle_amsdu(st - ath10k_htt_rx_h_unchain(ar, &amsdu, &drop_cnt, &unchain_cnt); - - ath10k_htt_rx_h_filter(ar, &amsdu, rx_status, &drop_cnt_filter); -- ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true, first_hdr, &err); -+ ath10k_htt_rx_h_mpdu(ar, &amsdu, rx_status, true, first_hdr, &err, 0, -+ false); - msdus_to_queue = skb_queue_len(&amsdu); - ath10k_htt_rx_h_enqueue(ar, &amsdu, rx_status); - -@@ -3027,7 +3118,7 @@ static int ath10k_htt_rx_in_ord_ind(stru - ath10k_htt_rx_h_ppdu(ar, &amsdu, status, vdev_id); - ath10k_htt_rx_h_filter(ar, &amsdu, status, NULL); - ath10k_htt_rx_h_mpdu(ar, &amsdu, status, false, NULL, -- NULL); -+ NULL, peer_id, frag); - ath10k_htt_rx_h_enqueue(ar, &amsdu, status); - break; - case -EAGAIN: diff --git a/package/kernel/mac80211/patches/ath10k/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch b/package/kernel/mac80211/patches/ath10k/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch deleted file mode 100644 index 7288c66612..0000000000 --- a/package/kernel/mac80211/patches/ath10k/301-ath10k-drop-fragments-with-multicast-DA-for-PCIe.patch +++ /dev/null @@ -1,66 +0,0 @@ -From: Wen Gong <wgong@codeaurora.org> -Date: Tue, 11 May 2021 20:02:53 +0200 -Subject: [PATCH] ath10k: drop fragments with multicast DA for PCIe - -Fragmentation is not used with multicast frames. Discard unexpected -fragments with multicast DA. This fixes CVE-2020-26145. - -Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 - -Cc: stable@vger.kernel.org -Signed-off-by: Wen Gong <wgong@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -1768,6 +1768,16 @@ static u64 ath10k_htt_rx_h_get_pn(struct - return pn; - } - -+static bool ath10k_htt_rx_h_frag_multicast_check(struct ath10k *ar, -+ struct sk_buff *skb, -+ u16 offset) -+{ -+ struct ieee80211_hdr *hdr; -+ -+ hdr = (struct ieee80211_hdr *)(skb->data + offset); -+ return !is_multicast_ether_addr(hdr->addr1); -+} -+ - static bool ath10k_htt_rx_h_frag_pn_check(struct ath10k *ar, - struct sk_buff *skb, - u16 peer_id, -@@ -1839,7 +1849,7 @@ static void ath10k_htt_rx_h_mpdu(struct - bool is_decrypted; - bool is_mgmt; - u32 attention; -- bool frag_pn_check = true; -+ bool frag_pn_check = true, multicast_check = true; - - if (skb_queue_empty(amsdu)) - return; -@@ -1946,13 +1956,20 @@ static void ath10k_htt_rx_h_mpdu(struct - 0, - enctype); - -- if (!frag_pn_check) { -- /* Discard the fragment with invalid PN */ -+ if (frag) -+ multicast_check = ath10k_htt_rx_h_frag_multicast_check(ar, -+ msdu, -+ 0); -+ -+ if (!frag_pn_check || !multicast_check) { -+ /* Discard the fragment with invalid PN or multicast DA -+ */ - temp = msdu->prev; - __skb_unlink(msdu, amsdu); - dev_kfree_skb_any(msdu); - msdu = temp; - frag_pn_check = true; -+ multicast_check = true; - continue; - } - diff --git a/package/kernel/mac80211/patches/ath10k/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch b/package/kernel/mac80211/patches/ath10k/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch deleted file mode 100644 index 85d9ce65e2..0000000000 --- a/package/kernel/mac80211/patches/ath10k/302-ath10k-drop-fragments-with-multicast-DA-for-SDIO.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Wen Gong <wgong@codeaurora.org> -Date: Tue, 11 May 2021 20:02:54 +0200 -Subject: [PATCH] ath10k: drop fragments with multicast DA for SDIO - -Fragmentation is not used with multicast frames. Discard unexpected -fragments with multicast DA. This fixes CVE-2020-26145. - -Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 - -Cc: stable@vger.kernel.org -Signed-off-by: Wen Gong <wgong@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -2617,6 +2617,13 @@ static bool ath10k_htt_rx_proc_rx_frag_i - rx_desc = (struct htt_hl_rx_desc *)(skb->data + tot_hdr_len); - rx_desc_info = __le32_to_cpu(rx_desc->info); - -+ hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); -+ -+ if (is_multicast_ether_addr(hdr->addr1)) { -+ /* Discard the fragment with multicast DA */ -+ goto err; -+ } -+ - if (!MS(rx_desc_info, HTT_RX_DESC_HL_INFO_ENCRYPTED)) { - spin_unlock_bh(&ar->data_lock); - return ath10k_htt_rx_proc_rx_ind_hl(htt, &resp->rx_ind_hl, skb, -@@ -2624,8 +2631,6 @@ static bool ath10k_htt_rx_proc_rx_frag_i - HTT_RX_NON_TKIP_MIC); - } - -- hdr = (struct ieee80211_hdr *)((u8 *)rx_desc + rx_hl->fw_desc.len); -- - if (ieee80211_has_retry(hdr->frame_control)) - goto err; - diff --git a/package/kernel/mac80211/patches/ath10k/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch b/package/kernel/mac80211/patches/ath10k/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch deleted file mode 100644 index 03bce4231b..0000000000 --- a/package/kernel/mac80211/patches/ath10k/303-ath10k-drop-MPDU-which-has-discard-flag-set-by-firmw.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: Wen Gong <wgong@codeaurora.org> -Date: Tue, 11 May 2021 20:02:55 +0200 -Subject: [PATCH] ath10k: drop MPDU which has discard flag set by firmware - for SDIO - -When the discard flag is set by the firmware for an MPDU, it should be -dropped. This allows a mitigation for CVE-2020-24588 to be implemented -in the firmware. - -Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 - -Cc: stable@vger.kernel.org -Signed-off-by: Wen Gong <wgong@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl - fw_desc = &rx->fw_desc; - rx_desc_len = fw_desc->len; - -+ if (fw_desc->u.bits.discard) { -+ ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n"); -+ goto err; -+ } -+ - /* I have not yet seen any case where num_mpdu_ranges > 1. - * qcacld does not seem handle that case either, so we introduce the - * same limitiation here as well. ---- a/drivers/net/wireless/ath/ath10k/rx_desc.h -+++ b/drivers/net/wireless/ath/ath10k/rx_desc.h -@@ -1282,7 +1282,19 @@ struct fw_rx_desc_base { - #define FW_RX_DESC_UDP (1 << 6) - - struct fw_rx_desc_hl { -- u8 info0; -+ union { -+ struct { -+ u8 discard:1, -+ forward:1, -+ any_err:1, -+ dup_err:1, -+ reserved:1, -+ inspect:1, -+ extension:2; -+ } bits; -+ u8 info0; -+ } u; -+ - u8 version; - u8 len; - u8 flags; diff --git a/package/kernel/mac80211/patches/ath10k/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch b/package/kernel/mac80211/patches/ath10k/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch deleted file mode 100644 index da9d6802bd..0000000000 --- a/package/kernel/mac80211/patches/ath10k/304-ath10k-Fix-TKIP-Michael-MIC-verification-for-PCIe.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Wen Gong <wgong@codeaurora.org> -Date: Tue, 11 May 2021 20:02:56 +0200 -Subject: [PATCH] ath10k: Fix TKIP Michael MIC verification for PCIe - -TKIP Michael MIC was not verified properly for PCIe cases since the -validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did -not get fully executed due to unexpected flag values in -ieee80211_rx_status. - -Fix this by setting the flags property to meet mac80211 expectations for -performing Michael MIC validation there. This fixes CVE-2020-26141. It -does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed -MIC verification case. This applies only to QCA6174/QCA9377 PCIe. - -Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 - -Cc: stable@vger.kernel.org -Signed-off-by: Wen Gong <wgong@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -1974,6 +1974,11 @@ static void ath10k_htt_rx_h_mpdu(struct - } - - ath10k_htt_rx_h_csum_offload(msdu); -+ -+ if (frag && !fill_crypt_header && -+ enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA) -+ status->flag &= ~RX_FLAG_MMIC_STRIPPED; -+ - ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype, - is_decrypted); - -@@ -1991,6 +1996,11 @@ static void ath10k_htt_rx_h_mpdu(struct - - hdr = (void *)msdu->data; - hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED); -+ -+ if (frag && !fill_crypt_header && -+ enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA) -+ status->flag &= ~RX_FLAG_IV_STRIPPED & -+ ~RX_FLAG_MMIC_STRIPPED; - } - } - diff --git a/package/kernel/mac80211/patches/ath10k/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch b/package/kernel/mac80211/patches/ath10k/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch deleted file mode 100644 index 0bdbed78d5..0000000000 --- a/package/kernel/mac80211/patches/ath10k/305-ath10k-Validate-first-subframe-of-A-MSDU-before-proc.patch +++ /dev/null @@ -1,109 +0,0 @@ -From: Sriram R <srirrama@codeaurora.org> -Date: Tue, 11 May 2021 20:02:57 +0200 -Subject: [PATCH] ath10k: Validate first subframe of A-MSDU before - processing the list - -In certain scenarios a normal MSDU can be received as an A-MSDU when -the A-MSDU present bit of a QoS header gets flipped during reception. -Since this bit is unauthenticated, the hardware crypto engine can pass -the frame to the driver without any error indication. - -This could result in processing unintended subframes collected in the -A-MSDU list. Hence, validate A-MSDU list by checking if the first frame -has a valid subframe header. - -Comparing the non-aggregated MSDU and an A-MSDU, the fields of the first -subframe DA matches the LLC/SNAP header fields of a normal MSDU. -In order to avoid processing such frames, add a validation to -filter such A-MSDU frames where the first subframe header DA matches -with the LLC/SNAP header pattern. - -Tested-on: QCA9984 hw1.0 PCI 10.4-3.10-00047 - -Cc: stable@vger.kernel.org -Signed-off-by: Sriram R <srirrama@codeaurora.org> -Signed-off-by: Jouni Malinen <jouni@codeaurora.org> -Signed-off-by: Johannes Berg <johannes.berg@intel.com> ---- - ---- a/drivers/net/wireless/ath/ath10k/htt_rx.c -+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c -@@ -2108,14 +2108,62 @@ static void ath10k_htt_rx_h_unchain(stru - ath10k_unchain_msdu(amsdu, unchain_cnt); - } - -+static bool ath10k_htt_rx_validate_amsdu(struct ath10k *ar, -+ struct sk_buff_head *amsdu) -+{ -+ u8 *subframe_hdr; -+ struct sk_buff *first; -+ bool is_first, is_last; -+ struct htt_rx_desc *rxd; -+ struct ieee80211_hdr *hdr; -+ size_t hdr_len, crypto_len; -+ enum htt_rx_mpdu_encrypt_type enctype; -+ int bytes_aligned = ar->hw_params.decap_align_bytes; -+ -+ first = skb_peek(amsdu); -+ -+ rxd = (void *)first->data - sizeof(*rxd); -+ hdr = (void *)rxd->rx_hdr_status; -+ -+ is_first = !!(rxd->msdu_end.common.info0 & -+ __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU)); -+ is_last = !!(rxd->msdu_end.common.info0 & -+ __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU)); -+ -+ /* Return in case of non-aggregated msdu */ -+ if (is_first && is_last) -+ return true; -+ -+ /* First msdu flag is not set for the first msdu of the list */ -+ if (!is_first) -+ return false; -+ -+ enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0), -+ RX_MPDU_START_INFO0_ENCRYPT_TYPE); -+ -+ hdr_len = ieee80211_hdrlen(hdr->frame_control); -+ crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype); -+ -+ subframe_hdr = (u8 *)hdr + round_up(hdr_len, bytes_aligned) + -+ crypto_len; -+ -+ /* Validate if the amsdu has a proper first subframe. -+ * There are chances a single msdu can be received as amsdu when -+ * the unauthenticated amsdu flag of a QoS header -+ * gets flipped in non-SPP AMSDU's, in such cases the first -+ * subframe has llc/snap header in place of a valid da. -+ * return false if the da matches rfc1042 pattern -+ */ -+ if (ether_addr_equal(subframe_hdr, rfc1042_header)) -+ return false; -+ -+ return true; -+} -+ - static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar, - struct sk_buff_head *amsdu, - struct ieee80211_rx_status *rx_status) - { -- /* FIXME: It might be a good idea to do some fuzzy-testing to drop -- * invalid/dangerous frames. -- */ -- - if (!rx_status->freq) { - ath10k_dbg(ar, ATH10K_DBG_HTT, "no channel configured; ignoring frame(s)!\n"); - return false; -@@ -2126,6 +2174,11 @@ static bool ath10k_htt_rx_amsdu_allowed( - return false; - } - -+ if (!ath10k_htt_rx_validate_amsdu(ar, amsdu)) { -+ ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid amsdu received\n"); -+ return false; -+ } -+ - return true; - } - diff --git a/package/kernel/mac80211/patches/ath10k/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch b/package/kernel/mac80211/patches/ath10k/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch index 5e74687826..ce8effe3c3 100644 --- a/package/kernel/mac80211/patches/ath10k/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch +++ b/package/kernel/mac80211/patches/ath10k/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch @@ -114,7 +114,7 @@ v13: ath10k_core-$(CONFIG_DEV_COREDUMP) += coredump.o --- a/local-symbols +++ b/local-symbols -@@ -146,6 +146,7 @@ ATH10K_DEBUG= +@@ -145,6 +145,7 @@ ATH10K_DEBUG= ATH10K_DEBUGFS= ATH10K_SPECTRAL= ATH10K_THERMAL= @@ -456,7 +456,7 @@ v13: { --- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c +++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c -@@ -4591,6 +4591,8 @@ static const struct wmi_ops wmi_tlv_ops +@@ -4594,6 +4594,8 @@ static const struct wmi_ops wmi_tlv_ops .gen_echo = ath10k_wmi_tlv_op_gen_echo, .gen_vdev_spectral_conf = ath10k_wmi_tlv_op_gen_vdev_spectral_conf, .gen_vdev_spectral_enable = ath10k_wmi_tlv_op_gen_vdev_spectral_enable, |