Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3751967pxj; Tue, 11 May 2021 11:04:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyuz9znMP539V5I+HrxrjqQq6oWB2gN3d2k68S0WunvWmGW/PEscnv1zAG83QmDVDbQmU7N X-Received: by 2002:a05:6512:33c1:: with SMTP id d1mr20878791lfg.412.1620756275356; Tue, 11 May 2021 11:04:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620756275; cv=none; d=google.com; s=arc-20160816; b=l2QsuWKCYan9Aw2/Hy9V+y4XLFFl3pIcrWQUEGubSy852HAjfwoA1uWgUzsyoELBmS PzXocdcpRIteiX9FHKQb6jNfolxttQRBi6xABbjLlgcZbU07oJr29IDq68U61Cx0Ihqr RT+WMTa4Hzqu6xg5ceAf2zZiBsmVRnXgmqNAX1a/cR3yho977FfeJyasm8UTrUP0uca1 O8B+ykrI36qP4OZke1zRVFN4GYFCG8XMfqikUv/1lYU7siGDNqGqy+JXuNEl2FLA3Bvf QiqAmScxfAWa7KcBHPGIh2Dtx0nfCZ+FVEZLZ5YLo67nw+A4MXl16EMgQS4m5ID8Hr10 f1GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=5YDnx7QDq6DwvBQd6i3qvDw+Gtawpr0s7OcwpTtBQHc=; b=M+DQI6VUIadMhRv88DJln6DoHIq5Vi12S+m+Qjw4rZHjl4XJ+RpyIcrs2pIhVb0Sz5 Yf67ht7knanUDUi/Hm+5bgFgzBtLkEUcTQI2eI95ejiHom6D4YlYinbAvcKN9OXx2WLt WUk2pvlfZYoH2N5Y2x6JhgyHXWuOrcIQgPS5WFAbtBYQtchxmJHiS5EM3GoRQWy3x8Ye eh5m30prV4R3JTi4c+iTm7WbSiUEJtN9jxJ1U71DfbcXcCJhaY/XaJ+rFv/YKp82f1E0 Dlm3HkL7WUk+NHK6GaEXAJBW+44JYdY2NlRnvZuLcTtrLaGhO2xDNd98RokPtZxoWkLr lEKA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d21si20843811lfl.334.2021.05.11.11.04.05; Tue, 11 May 2021 11:04:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231993AbhEKSEl (ORCPT + 99 others); Tue, 11 May 2021 14:04:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231454AbhEKSEX (ORCPT ); Tue, 11 May 2021 14:04:23 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CAAFC061344; Tue, 11 May 2021 11:03:14 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94.2) (envelope-from ) id 1lgWiu-007aAS-Db; Tue, 11 May 2021 20:03:12 +0200 From: Johannes Berg To: linux-wireless@vger.kernel.org Cc: Wen Gong , stable@vger.kernel.org Subject: [PATCH 14/18] ath10k: drop MPDU which has discard flag set by firmware for SDIO Date: Tue, 11 May 2021 20:02:55 +0200 Message-Id: <20210511200110.11968c725b5c.Idd166365ebea2771c0c0a38c78b5060750f90e17@changeid> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net> References: <20210511180259.159598-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Wen Gong When the discard flag is set by the firmware for an MPDU, it should be dropped. This allows a mitigation for CVE-2020-24588 to be implemented in the firmware. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg --- drivers/net/wireless/ath/ath10k/htt_rx.c | 5 +++++ drivers/net/wireless/ath/ath10k/rx_desc.h | 14 +++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index b1d93ff5215a..12451ab66a19 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl(struct ath10k_htt *htt, fw_desc = &rx->fw_desc; rx_desc_len = fw_desc->len; + if (fw_desc->u.bits.discard) { + ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n"); + goto err; + } + /* I have not yet seen any case where num_mpdu_ranges > 1. * qcacld does not seem handle that case either, so we introduce the * same limitiation here as well. diff --git a/drivers/net/wireless/ath/ath10k/rx_desc.h b/drivers/net/wireless/ath/ath10k/rx_desc.h index f2b6bf8f0d60..705b6295e466 100644 --- a/drivers/net/wireless/ath/ath10k/rx_desc.h +++ b/drivers/net/wireless/ath/ath10k/rx_desc.h @@ -1282,7 +1282,19 @@ struct fw_rx_desc_base { #define FW_RX_DESC_UDP (1 << 6) struct fw_rx_desc_hl { - u8 info0; + union { + struct { + u8 discard:1, + forward:1, + any_err:1, + dup_err:1, + reserved:1, + inspect:1, + extension:2; + } bits; + u8 info0; + } u; + u8 version; u8 len; u8 flags; -- 2.30.2