openwrt-ipq-breeze303/package/kernel/mac80211/patches/nss/ath11k/357-ath11k-fix-clear-peer-keys-during-disassoc.patch

From 451cd8d4f107750d86a51c3cf750015676991d17 Mon Sep 17 00:00:00 2001
From: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Date: Thu, 11 Aug 2022 21:27:16 +0530
Subject: [PATCH] ath11k: fix clearing peer keys during sta state auth to assoc

During station state change from AUTHORIZED to ASSOC, driver must clear its key
from hw. Ath11k clearing the keys during ASSOC to AUTH which is not a
valid sequence and there is a chance of accessing ptr after free.

Clear the peer keys while the state of station changes from AUTHORIZED
to ASSOC.

Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
---
 drivers/net/wireless/ath/ath11k/mac.c | 37 ++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 16 deletions(-)

--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -4991,12 +4991,6 @@ static int ath11k_station_disassoc(struc
 			return ret;
 	}
 
-	ret = ath11k_clear_peer_keys(arvif, sta->addr);
-	if (ret) {
-		ath11k_warn(ar->ab, "failed to clear all peer keys for vdev %i: %d\n",
-			    arvif->vdev_id, ret);
-		return ret;
-	}
 	return 0;
 }
 
@@ -10198,6 +10192,17 @@ static int ath11k_mac_op_sta_state(struc
 		arsta->bw = ath11k_mac_ieee80211_sta_bw_to_wmi(ar, sta);
 		arsta->bw_prev = arsta->bw;
 		spin_unlock_bh(&ar->data_lock);
+
+		/* Driver should clear the peer keys during mac80211's ref ptr
+		 * gets cleared in __sta_info_destroy_part2 (trans from
+		 * IEEE80211_STA_AUTHORIZED to IEEE80211_STA_ASSOC)
+		 */
+		ret = ath11k_clear_peer_keys(arvif, sta->addr);
+		if (ret) {
+			ath11k_warn(ar->ab, "failed to clear all peer keys for vdev %i: %d\n",
+					arvif->vdev_id, ret);
+			return ret;
+		}
 	} else if (old_state == IEEE80211_STA_ASSOC &&
 		   new_state == IEEE80211_STA_AUTHORIZED) {
 		spin_lock_bh(&ar->ab->base_lock);