4.19-stable patches

added patches:
	ath10k-fix-tkip-michael-mic-verification-for-pcie.patch

diff --git a/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch b/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch
new file mode 100644 (file)
index 0000000..5ba325b
--- /dev/null
+++ b/queue-4.19/ath10k-fix-tkip-michael-mic-verification-for-pcie.patch
@@ -0,0 +1,58 @@
+From 0dc267b13f3a7e8424a898815dd357211b737330 Mon Sep 17 00:00:00 2001
+From: Wen Gong <wgong@codeaurora.org>
+Date: Tue, 11 May 2021 20:02:56 +0200
+Subject: ath10k: Fix TKIP Michael MIC verification for PCIe
+
+From: Wen Gong <wgong@codeaurora.org>
+
+commit 0dc267b13f3a7e8424a898815dd357211b737330 upstream.
+
+TKIP Michael MIC was not verified properly for PCIe cases since the
+validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did
+not get fully executed due to unexpected flag values in
+ieee80211_rx_status.
+
+Fix this by setting the flags property to meet mac80211 expectations for
+performing Michael MIC validation there. This fixes CVE-2020-26141. It
+does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed
+MIC verification case. This applies only to QCA6174/QCA9377 PCIe.
+
+Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Wen Gong <wgong@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Link: https://lore.kernel.org/r/20210511200110.c3f1d42c6746.I795593fcaae941c471425b8c7d5f7bb185d29142@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Ashwin Dayanand Kamat <kashwindayan@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -1645,6 +1645,11 @@ static void ath10k_htt_rx_h_mpdu(struct
+ 
+       skb_queue_walk(amsdu, msdu) {
+               ath10k_htt_rx_h_csum_offload(msdu);
++
++              if (frag && !fill_crypt_header &&
++                  enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
++                      status->flag &= ~RX_FLAG_MMIC_STRIPPED;
++
+               ath10k_htt_rx_h_undecap(ar, msdu, status, first_hdr, enctype,
+                                       is_decrypted);
+ 
+@@ -1662,6 +1667,11 @@ static void ath10k_htt_rx_h_mpdu(struct
+ 
+               hdr = (void *)msdu->data;
+               hdr->frame_control &= ~__cpu_to_le16(IEEE80211_FCTL_PROTECTED);
++
++              if (frag && !fill_crypt_header &&
++                  enctype == HTT_RX_MPDU_ENCRYPT_TKIP_WPA)
++                      status->flag &= ~RX_FLAG_IV_STRIPPED &
++                                      ~RX_FLAG_MMIC_STRIPPED;
+       }
+ }
+ 

diff --git a/queue-4.19/series b/queue-4.19/series
index dfcda3fe4361afb59d63a97a88f793842f75dcf5..61f3bd15d5ad2b9888782a981252f077d7d0b04b 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -285,3 +285,4 @@ net-sched-sch_qfq-account-for-stab-overhead-in-qfq_enqueue.patch
 asoc-cs42l51-fix-driver-to-properly-autoload-with-automatic-module-loading.patch
 net-sched-cls_u32-fix-reference-counter-leak-leading-to-overflow.patch
 drivers-core-use-sysfs_emit-and-sysfs_emit_at-for-show-device-...-functions.patch
+ath10k-fix-tkip-michael-mic-verification-for-pcie.patch