Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3751967pxj;
        Tue, 11 May 2021 11:04:35 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyuz9znMP539V5I+HrxrjqQq6oWB2gN3d2k68S0WunvWmGW/PEscnv1zAG83QmDVDbQmU7N
X-Received: by 2002:a05:6512:33c1:: with SMTP id d1mr20878791lfg.412.1620756275356;
        Tue, 11 May 2021 11:04:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620756275; cv=none;
        d=google.com; s=arc-20160816;
        b=l2QsuWKCYan9Aw2/Hy9V+y4XLFFl3pIcrWQUEGubSy852HAjfwoA1uWgUzsyoELBmS
         PzXocdcpRIteiX9FHKQb6jNfolxttQRBi6xABbjLlgcZbU07oJr29IDq68U61Cx0Ihqr
         RT+WMTa4Hzqu6xg5ceAf2zZiBsmVRnXgmqNAX1a/cR3yho977FfeJyasm8UTrUP0uca1
         O8B+ykrI36qP4OZke1zRVFN4GYFCG8XMfqikUv/1lYU7siGDNqGqy+JXuNEl2FLA3Bvf
         QiqAmScxfAWa7KcBHPGIh2Dtx0nfCZ+FVEZLZ5YLo67nw+A4MXl16EMgQS4m5ID8Hr10
         f1GQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=5YDnx7QDq6DwvBQd6i3qvDw+Gtawpr0s7OcwpTtBQHc=;
        b=M+DQI6VUIadMhRv88DJln6DoHIq5Vi12S+m+Qjw4rZHjl4XJ+RpyIcrs2pIhVb0Sz5
         Yf67ht7knanUDUi/Hm+5bgFgzBtLkEUcTQI2eI95ejiHom6D4YlYinbAvcKN9OXx2WLt
         WUk2pvlfZYoH2N5Y2x6JhgyHXWuOrcIQgPS5WFAbtBYQtchxmJHiS5EM3GoRQWy3x8Ye
         eh5m30prV4R3JTi4c+iTm7WbSiUEJtN9jxJ1U71DfbcXcCJhaY/XaJ+rFv/YKp82f1E0
         Dlm3HkL7WUk+NHK6GaEXAJBW+44JYdY2NlRnvZuLcTtrLaGhO2xDNd98RokPtZxoWkLr
         lEKA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id d21si20843811lfl.334.2021.05.11.11.04.05;
        Tue, 11 May 2021 11:04:35 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231993AbhEKSEl (ORCPT <rfc822;mike.rudenko@gmail.com>
        + 99 others); Tue, 11 May 2021 14:04:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41188 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231454AbhEKSEX (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Tue, 11 May 2021 14:04:23 -0400
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CAAFC061344;
        Tue, 11 May 2021 11:03:14 -0700 (PDT)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94.2)
        (envelope-from <johannes@sipsolutions.net>)
        id 1lgWiu-007aAS-Db; Tue, 11 May 2021 20:03:12 +0200
From:   Johannes Berg <johannes@sipsolutions.net>
To:     linux-wireless@vger.kernel.org
Cc:     Wen Gong <wgong@codeaurora.org>, stable@vger.kernel.org
Subject: [PATCH 14/18] ath10k: drop MPDU which has discard flag set by firmware for SDIO
Date:   Tue, 11 May 2021 20:02:55 +0200
Message-Id: <20210511200110.11968c725b5c.Idd166365ebea2771c0c0a38c78b5060750f90e17@changeid>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210511180259.159598-1-johannes@sipsolutions.net>
References: <20210511180259.159598-1-johannes@sipsolutions.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Wen Gong <wgong@codeaurora.org>

When the discard flag is set by the firmware for an MPDU, it should be
dropped. This allows a mitigation for CVE-2020-24588 to be implemented
in the firmware.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049

Cc: stable@vger.kernel.org
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
 drivers/net/wireless/ath/ath10k/htt_rx.c  |  5 +++++
 drivers/net/wireless/ath/ath10k/rx_desc.h | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index b1d93ff5215a..12451ab66a19 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl(struct ath10k_htt *htt,
 	fw_desc = &rx->fw_desc;
 	rx_desc_len = fw_desc->len;
 
+	if (fw_desc->u.bits.discard) {
+		ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n");
+		goto err;
+	}
+
 	/* I have not yet seen any case where num_mpdu_ranges > 1.
 	 * qcacld does not seem handle that case either, so we introduce the
 	 * same limitiation here as well.
diff --git a/drivers/net/wireless/ath/ath10k/rx_desc.h b/drivers/net/wireless/ath/ath10k/rx_desc.h
index f2b6bf8f0d60..705b6295e466 100644
--- a/drivers/net/wireless/ath/ath10k/rx_desc.h
+++ b/drivers/net/wireless/ath/ath10k/rx_desc.h
@@ -1282,7 +1282,19 @@ struct fw_rx_desc_base {
 #define FW_RX_DESC_UDP              (1 << 6)
 
 struct fw_rx_desc_hl {
-	u8 info0;
+	union {
+		struct {
+		u8 discard:1,
+		   forward:1,
+		   any_err:1,
+		   dup_err:1,
+		   reserved:1,
+		   inspect:1,
+		   extension:2;
+		} bits;
+		u8 info0;
+	} u;
+
 	u8 version;
 	u8 len;
 	u8 flags;
-- 
2.30.2