Drivers for Qualcomm wifi chips (ath*k) and security issues

["Pali Rohár" <pali@kernel.org>]

Hello Sasha and Greg!

Last week I sent request for backporting ath9k wifi fixes for security
issue CVE-2020-3702 into stable LTS kernels because Qualcomm/maintainers
did not it for more months... details are in email:
https://lore.kernel.org/stable/20210818084859.vcs4vs3yd6zetmyt@pali/t/#u

And now I got reports that in stable LTS kernels (4.14, 4.19) are
missing also other fixes for other Qualcomm wifi security issues,
covered by FragAttacks codename: CVE-2020-26145 CVE-2020-26139
CVE-2020-26141

People have already asked if somebody is already doing backports to 4.19
of patches for these security issues, but there was no response, see email:
https://lore.kernel.org/linux-wireless/704e1c77-6c48-79f7-043a-b2d03fbfef8b@candelatech.com/

I got information that issues for ath10k are again going to be (or are
already?) fixed in some vendor custom/fork kernels, but not in official
stable tree 4.14/4.19 (yet).

This situation is really bad because lot of times I hear to use mainline
kernel versions or official stable LTS tree (which are maintained by
you), but due to such security issues in LTS trees which stays unfixed
and others say to use rather vendor custom/fork kernels where it is
claimed that issues are fixed.

And because there is no statement for end users (end users do not
communicate with vendors and so they do not have information what is
supported and what not), end users just use what Linux open source
distributions have in their kernels (which lot of times match official
LTS kernel trees). And users think that everything is OK and security
issues are fixed.

So there is really a need for public statement from you or Qualcomm
side, if stable LTS kernel trees are going to include security fixes for
drivers used by Qualcomm wifi chips (ath*k) or not or under which
conditions. And what should users / Linux distributions use if they do
not want to have years-old unpatched drivers with security issues. Such
information is really important also for distributions which include
unmodified (or slightly modified) kernel LTS trees into their own
packages. As they also need to know from which source should take
(e.g. Qualcomm wifi) drivers for their systems to ensure that have
security patches applied.

I can understand that you or other people or volunteers do not have time
to track or maintain some parts of drivers. So nothing wrong if official
statement is that stable trees X and Y do not receive security updates
for driver A and B anymore. Also I can understand that it takes some
time to include required fixes, so expect fixes for A and B in X and Y
versions with one month delay. But it is needed to know what should
people expect from LTS trees for particular drivers. Because I think it
is not currently clear...

Do not take me wrong, I just wanted to show that this is hidden problem
which needs some discussion.