Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3653257pxb;
        Mon, 24 Jan 2022 14:31:05 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwejR1jLongRqGTcmMf4G7DWLcp6FzRyBhtvr7OurXaurM4qcWOf/1xq1TT+mHMk0Cbxfti
X-Received: by 2002:a05:6a00:2410:b0:4bc:dda9:2e92 with SMTP id z16-20020a056a00241000b004bcdda92e92mr15626629pfh.76.1643063464919;
        Mon, 24 Jan 2022 14:31:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643063464; cv=none;
        d=google.com; s=arc-20160816;
        b=pc+CRBLL7Rc8CN85Vfx9kYpDYGcc8AIt8rCwwmFJXCGSiSQyRuhC7t+pF16hfnPL+h
         AwJJkbzGfuUDaFSybuJZHZt0kYlTsEiPUMm3R8wn6h6tV2Ws9eSyyY4kP1W7sapcBftd
         ObhquzLeDDAOdF16SQoFrnCQj6EyjCeTt1wda1Z51z3YPaLcgUIDo4/6FK/cpcrc2xJY
         u9Lzsqlb+X7YR/97xrj807Ffpf08J3CtRDVYzR+WXJm8bO8SMAUWSc4Ddt50ajbAQ4Dd
         AlDukVp2LAJP3YMnpHwiSDEmvMEo5++Hz9ObSMoTeSuwtS8q5lH7CGy6E0MHtX4ADsmw
         LYPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Gl8aDT6RoLTpBA4peSewumf5uOD4HFLyr60ZxjC6MDM=;
        b=a2lv8Qz3BohxHtgfaZhsj9f7eA+LnC3dybbd5n85nnPUKL4Y+J4kTEWIVTfTHiLG/I
         +RNhIJKNt7OT1nc904JsFBv3cESSciSPitRtdHId442IZwWvkxy0YRMmk5xKqov7cU+Y
         QGul4yRaefAMxWfyXzBSASJHTRn3Xf1yt14Rbb9OQmOzDwZBIw6Tvsv6fO1Hcu+713AU
         pVUti64BzMhOrVSqvJqIbOh7/HIXcKMp0cQYvZ6DwHvvL4lUi8JowcyvOG4EiciAx5Pi
         toAJ73OwAibuvyFBCOjO2yfeyF1BYm+cNLBoTXyN0e5IX089V/N3FnAcP3JxgG6i4msF
         BVYg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1k8O7klp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d15si556271pjd.35.2022.01.24.14.30.52;
        Mon, 24 Jan 2022 14:31:04 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1k8O7klp;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1584672AbiAXWVb (ORCPT <rfc822;troverman@gmail.com> + 99 others);
        Mon, 24 Jan 2022 17:21:31 -0500
Received: from dfw.source.kernel.org ([139.178.84.217]:47434 "EHLO
        dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1452938AbiAXV12 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Jan 2022 16:27:28 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 3FF9C61469;
        Mon, 24 Jan 2022 21:27:23 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1C558C340E4;
        Mon, 24 Jan 2022 21:27:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1643059642;
        bh=slkzV2uCi161ff2FMYKOSO9pXjF+rfhmk/CRWGQotis=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=1k8O7klpE1iS54jCJvKfEfEdzJgSFTcTH/Lt6K+XjxqU5q0Nw4AiIn/FJE/yxHDOM
         QqbbX4C4sKoUhF45+OCB2VVjEs1z8e0TMe5dDcA1EMLWeU4X5PGt1FPagTizXju6JO
         ivzl+RoKlz5K7NSLsH/SZknyXUEW9oiVPF/mMh8o=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Ilan Peer <ilan.peer@intel.com>,
        Luca Coelho <luciano.coelho@intel.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.16 0683/1039] iwlwifi: mvm: Fix calculation of frame length
Date:   Mon, 24 Jan 2022 19:41:12 +0100
Message-Id: <20220124184148.313794057@linuxfoundation.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220124184125.121143506@linuxfoundation.org>
References: <20220124184125.121143506@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ilan Peer <ilan.peer@intel.com>

[ Upstream commit 40a0b38d7a7f91a6027287e0df54f5f547e8d27e ]

The RADA might include in the Rx frame the MIC and CRC bytes.
These bytes should be removed for non monitor interfaces and
should not be passed to mac80211.

Fix the Rx processing to remove the extra bytes on non monitor
cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211219121514.098be12c801e.I1d81733d8a75b84c3b20eb6e0d14ab3405ca6a86@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index e0601f802628c..1e2a55ccf1926 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -121,12 +121,39 @@ static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
 	struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
 	unsigned int headlen, fraglen, pad_len = 0;
 	unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
+	u8 mic_crc_len = u8_get_bits(desc->mac_flags1,
+				     IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK) << 1;
 
 	if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) {
 		len -= 2;
 		pad_len = 2;
 	}
 
+	/*
+	 * For non monitor interface strip the bytes the RADA might not have
+	 * removed. As monitor interface cannot exist with other interfaces
+	 * this removal is safe.
+	 */
+	if (mic_crc_len && !ieee80211_hw_check(mvm->hw, RX_INCLUDES_FCS)) {
+		u32 pkt_flags = le32_to_cpu(pkt->len_n_flags);
+
+		/*
+		 * If RADA was not enabled then decryption was not performed so
+		 * the MIC cannot be removed.
+		 */
+		if (!(pkt_flags & FH_RSCSR_RADA_EN)) {
+			if (WARN_ON(crypt_len > mic_crc_len))
+				return -EINVAL;
+
+			mic_crc_len -= crypt_len;
+		}
+
+		if (WARN_ON(mic_crc_len > len))
+			return -EINVAL;
+
+		len -= mic_crc_len;
+	}
+
 	/* If frame is small enough to fit in skb->head, pull it completely.
 	 * If not, only pull ieee80211_hdr (including crypto if present, and
 	 * an additional 8 bytes for SNAP/ethertype, see below) so that
-- 
2.34.1