Pali Rohár <pali@xxxxxxxxxx> writes: > On Thursday 17 December 2020 06:51:48 Kalle Valo wrote: >> Jouni Malinen <jouni@xxxxxxxxxxxxxx> wrote: >> >> > It is possible for there to be pending frames in TXQs with a reference >> > to the key cache entry that is being deleted. If such a key cache entry >> > is cleared, those pending frame in TXQ might get transmitted without >> > proper encryption. It is safer to leave the previously used key into the >> > key cache in such cases. Instead, only clear the MAC address to prevent >> > RX processing from using this key cache entry. >> > >> > This is needed in particularly in AP mode where the TXQs cannot be >> > flushed on station disconnection. This change alone may not be able to >> > address all cases where the key cache entry might get reused for other >> > purposes immediately (the key cache entry should be released for reuse >> > only once the TXQs do not have any remaining references to them), but >> > this makes it less likely to get unprotected frames and the more >> > complete changes may end up being significantly more complex. >> > >> > Signed-off-by: Jouni Malinen <jouni@xxxxxxxxxxxxxx> >> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> >> >> 5 patches applied to ath-next branch of ath.git, thanks. >> >> 56c5485c9e44 ath: Use safer key clearing with key cache entries >> 73488cb2fa3b ath9k: Clear key cache explicitly on disabling hardware >> d2d3e36498dd ath: Export ath_hw_keysetmac() >> 144cd24dbc36 ath: Modify ath_key_delete() to not need full key entry >> ca2848022c12 ath9k: Postpone key cache entry deletion for TXQ frames reference it > > Hello! Should not these patches be suitable for backporting into stable > kernels (via CC: stable@ commit message line) as they are related to > security issue CVE-2020-3702? Yeah, but you were just a little late as I already applied them. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
