From patchwork Mon May 20 07:00:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: P Praneesh X-Patchwork-Id: 798138 Received: from mx0a-0031df01.pphosted.com (mx0a-0031df01.pphosted.com [205.220.168.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A960817BAF for ; Mon, 20 May 2024 07:01:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.168.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716188474; cv=none; b=M2Mwaum8910DVTyYGkb6KotXNDyABCKq4778bJS1xYQjUH6k5qVAT8lpDOu9JNhlatphZoXftdJs3IVttAirEDiy0CI0gKH9yF5DacGCIQ2GzuMFqNfPILsSNHcIxBRQ8CZ5kVONDy4jG6xalCoxGjMW984uHrjGaAC+5wJd4Gs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1716188474; c=relaxed/simple; bh=3iZ+lur7Q6wAKNH61lh9vBI2e6Jm7CzmfKNs4FJr0OQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=iBPba4En6ju8ZCM0SKnoK/qHldfzMOVZrUb71s9GAJqnC9wnhcGNQbKZdJxPByQhluhQvX0fk9j1b9g+1DYpu9bVjMToDJTtRPP16QU9yrS+K+nazHIccpzF7IoRp2pgbRGcvcE6cbdMDOnLvtqjxgDnyIKCm8aOxlWS4d987Cc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com; spf=pass smtp.mailfrom=quicinc.com; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b=oDD09fPZ; arc=none smtp.client-ip=205.220.168.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=quicinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=quicinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=quicinc.com header.i=@quicinc.com header.b="oDD09fPZ" Received: from pps.filterd (m0279863.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 44JNuQNH002173; Mon, 20 May 2024 07:01:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s= qcppdkim1; bh=C0sVOv4nloc8Q94vG7AZzEtyHNxkhk+KHkcEVtNAOmA=; b=oD D09fPZ/BlMRR8E/uiptxpkGeKPlarFVI8pwlHmSDk7vU01h0l1j2/iViI0fDcOnK 30SB7xCLihWCJeSyhUmqEbLRpsLK3AGu15dU6WrbU9ObIgSUyXfn+4eVMMgIcfs2 ekp+roHpTOef4HrqcuqIZ+UOjUNJlTtU4UWNz/9Jcf5KBFk3zNTT+Kh5aWpJPAJY Tkb7hh8qwzlf8XqFzPH+MaNc8BnrNLimml8b084YaKOcmXNrCNvmJelGpZi9nIHd NBtc+4O+9wk/CcKd8m9aJkhe55pRgHul2oT/UQH10iWD2fbn7FSnzfgNS78Jqgm+ YUrEYJ70+IsmLtjjZPJg== Received: from nalasppmta05.qualcomm.com (Global_NAT1.qualcomm.com [129.46.96.20]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3y6pr2jh96-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 20 May 2024 07:01:10 +0000 (GMT) Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com [10.47.209.196]) by NALASPPMTA05.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id 44K719eq023158 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 20 May 2024 07:01:09 GMT Received: from hu-ppranees-blr.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.9; Mon, 20 May 2024 00:01:07 -0700 From: P Praneesh To: CC: , P Praneesh , Baochen Qiang Subject: [PATCH 1/3] wifi: ath12k: change DMA direction while mapping reinjected packets Date: Mon, 20 May 2024 12:30:43 +0530 Message-ID: <20240520070045.631029-2-quic_ppranees@quicinc.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240520070045.631029-1-quic_ppranees@quicinc.com> References: <20240520070045.631029-1-quic_ppranees@quicinc.com> Precedence: bulk X-Mailing-List: linux-wireless@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To nalasex01a.na.qualcomm.com (10.47.209.196) X-QCInternal: smtphost X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800 signatures=585085 X-Proofpoint-ORIG-GUID: lDrFNiwhl3tZSdeF8xBLYodBY_m5BOgR X-Proofpoint-GUID: lDrFNiwhl3tZSdeF8xBLYodBY_m5BOgR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.11.176.26 definitions=2024-05-20_04,2024-05-17_03,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=816 bulkscore=0 malwarescore=0 spamscore=0 priorityscore=1501 impostorscore=0 clxscore=1015 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405200057 For fragmented packets, ath12k reassembles each fragment as a normal packet and then reinjects it into HW ring. In this case, the DMA direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE. Otherwise, an invalid payload may be reinjected into the HW and subsequently delivered to the host. Given that arbitrary memory can be allocated to the skb buffer, knowledge about the data contained in the reinjected buffer is lacking. Consequently, there’s a risk of private information being leaked. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00209-QCAHKSWPL_SILICONZ-1 Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Co-developed-by: Baochen Qiang Signed-off-by: Baochen Qiang Signed-off-by: P Praneesh Acked-by: Jeff Johnson --- drivers/net/wireless/ath/ath12k/dp_rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index 37205e894afe..2bfcc19d15ea 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -3004,7 +3004,7 @@ static int ath12k_dp_rx_h_defrag_reo_reinject(struct ath12k *ar, buf_paddr = dma_map_single(ab->dev, defrag_skb->data, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); if (dma_mapping_error(ab->dev, buf_paddr)) return -ENOMEM; @@ -3090,7 +3090,7 @@ static int ath12k_dp_rx_h_defrag_reo_reinject(struct ath12k *ar, spin_unlock_bh(&dp->rx_desc_lock); err_unmap_dma: dma_unmap_single(ab->dev, buf_paddr, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); return ret; }