1 files changed, 36 insertions, 0 deletions

diff --git a/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch b/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch
new file mode 100644
index 0000000000..0ad02585ae
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/411-wifi-mac80211-flush-queues-on-STA-removal.patch
@@ -0,0 +1,36 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 13 Mar 2023 11:42:12 +0100
+Subject: [PATCH] wifi: mac80211: flush queues on STA removal
+
+When we remove a station, we first make it unreachable,
+then we (must) remove its keys, and then remove the
+station itself. Depending on the hardware design, if
+we have hardware crypto at all, frames still sitting
+on hardware queues may then be transmitted without a
+valid key, possibly unencrypted or with a fixed key.
+
+Fix this by flushing the queues when removing stations
+so this cannot happen.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
+---
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1066,6 +1066,14 @@ static void __sta_info_destroy_part2(str
+ 		WARN_ON_ONCE(ret);
+ 	}
+ 
++	/* Flush queues before removing keys, as that might remove them
++	 * from hardware, and then depending on the offload method, any
++	 * frames sitting on hardware queues might be sent out without
++	 * any encryption at all.
++	 */
++	if (local->ops->set_key)
++		ieee80211_flush_queues(local, sta->sdata, false);
++
+ 	/* now keys can no longer be reached */
+ 	ieee80211_free_sta_keys(local, sta);
+