Message ID | 20240520070045.631029-2-quic_ppranees@quicinc.com |
---|---|
State | New |
Headers | show |
Series | wifi: ath12k: fix issues in rx fragmentation path | expand |
On 5/20/2024 12:00 AM, P Praneesh wrote: > For fragmented packets, ath12k reassembles each fragment as a normal > packet and then reinjects it into HW ring. In this case, the DMA > direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, > an invalid payload may be reinjected into the HW and > subsequently delivered to the host. > > Given that arbitrary memory can be allocated to the skb buffer, > knowledge about the data contained in the reinjected buffer is lacking. > Consequently, there’s a risk of private information being leaked. > > Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 > > Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") > Co-developed-by: Baochen Qiang <quic_bqiang@quicinc.com> > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> > Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
P Praneesh <quic_ppranees@quicinc.com> wrote: > For fragmented packets, ath12k reassembles each fragment as a normal > packet and then reinjects it into HW ring. In this case, the DMA > direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, > an invalid payload may be reinjected into the HW and > subsequently delivered to the host. > > Given that arbitrary memory can be allocated to the skb buffer, > knowledge about the data contained in the reinjected buffer is lacking. > Consequently, there’s a risk of private information being leaked. > > Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 > > Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") > Co-developed-by: Baochen Qiang <quic_bqiang@quicinc.com> > Signed-off-by: Baochen Qiang <quic_bqiang@quicinc.com> > Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> > Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> 3 patches applied to ath-next branch of ath.git, thanks. 33322e3ef074 wifi: ath12k: change DMA direction while mapping reinjected packets 073f9f249eec wifi: ath12k: fix invalid memory access while processing fragmented packets a57ab7cced45 wifi: ath12k: fix firmware crash during reo reinject
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index 37205e894afe..2bfcc19d15ea 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -3004,7 +3004,7 @@ static int ath12k_dp_rx_h_defrag_reo_reinject(struct ath12k *ar, buf_paddr = dma_map_single(ab->dev, defrag_skb->data, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); if (dma_mapping_error(ab->dev, buf_paddr)) return -ENOMEM; @@ -3090,7 +3090,7 @@ static int ath12k_dp_rx_h_defrag_reo_reinject(struct ath12k *ar, spin_unlock_bh(&dp->rx_desc_lock); err_unmap_dma: dma_unmap_single(ab->dev, buf_paddr, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); return ret; }