From 566a8a06e2bf2d5a0e4f4b62fe0e84f7f9970f74 Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Fri, 31 Mar 2023 16:59:16 +0200
Subject: [PATCH 56/70] wifi: mac80211: flush queues on STA removal

When we remove a station, we first make it unreachable,
then we (must) remove its keys, and then remove the
station itself. Depending on the hardware design, if
we have hardware crypto at all, frames still sitting
on hardware queues may then be transmitted without a
valid key, possibly unencrypted or with a fixed key.

Fix this by flushing the queues when removing stations
so this cannot happen.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 net/mac80211/sta_info.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 3d2ddaf..a47cb32 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1306,6 +1306,14 @@ static void __sta_info_destroy_part2(struct sta_info *sta)
 			ieee80211_flush_queues(local, sta->sdata, false);
 	}
 
+	/* Flush queues before removing keys, as that might remove them
+	 * from hardware, and then depending on the offload method, any
+	 * frames sitting on hardware queues might be sent out without
+	 * any encryption at all.
+	 */
+	if (local->ops->set_key)
+		ieee80211_flush_queues(local, sta->sdata, false);
+
 	/* now keys can no longer be reached */
 	ieee80211_free_sta_keys(local, sta);
 
-- 
2.39.2

