[][MAC80211][core][mt76][Add fixes for recently discovered security issues]
[Description]
Add fixes for recently discovered security issues
[Release-log]
N/A
Change-Id: Ib28eaeff922b41fe2c4882d045c6f1395c43e677
Reviewed-on: https://gerrit.mediatek.inc/c/openwrt/feeds/mtk_openwrt_feeds/+/7330871
diff --git a/autobuild_mac80211_release/package/kernel/mac80211/patches/subsys/349-wifi-mac80211-flush-queues-on-STA-removal.patch b/autobuild_mac80211_release/package/kernel/mac80211/patches/subsys/349-wifi-mac80211-flush-queues-on-STA-removal.patch
new file mode 100644
index 0000000..3e148a9
--- /dev/null
+++ b/autobuild_mac80211_release/package/kernel/mac80211/patches/subsys/349-wifi-mac80211-flush-queues-on-STA-removal.patch
@@ -0,0 +1,36 @@
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 13 Mar 2023 11:42:12 +0100
+Subject: [PATCH] wifi: mac80211: flush queues on STA removal
+
+When we remove a station, we first make it unreachable,
+then we (must) remove its keys, and then remove the
+station itself. Depending on the hardware design, if
+we have hardware crypto at all, frames still sitting
+on hardware queues may then be transmitted without a
+valid key, possibly unencrypted or with a fixed key.
+
+Fix this by flushing the queues when removing stations
+so this cannot happen.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Greenman, Gregory <gregory.greenman@intel.com>
+---
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1070,6 +1070,14 @@ static void __sta_info_destroy_part2(str
+ WARN_ON_ONCE(ret);
+ }
+
++ /* Flush queues before removing keys, as that might remove them
++ * from hardware, and then depending on the offload method, any
++ * frames sitting on hardware queues might be sent out without
++ * any encryption at all.
++ */
++ if (local->ops->set_key)
++ ieee80211_flush_queues(local, sta->sdata, false);
++
+ /* now keys can no longer be reached */
+ ieee80211_free_sta_keys(local, sta);
+