Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp230351pxb;
        Mon, 13 Sep 2021 17:48:29 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxqW0jJpesP1vhWSg6a5MQRVT1Db4t50OiM4H9ZujBWTDTGbpvHEsClDuR0pLrBzhTUeJ9G
X-Received: by 2002:a02:5d45:: with SMTP id w66mr12087767jaa.82.1631580509078;
        Mon, 13 Sep 2021 17:48:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631580509; cv=none;
        d=google.com; s=arc-20160816;
        b=mz6hDitj8G62iRnz8PH1J9VAqt4Qn/oFwWzh6iu0NizKWWuRlgpjBC+WhrM1Yjn+W1
         MXdwn7wHJkSf02aSbMGwFToBmw9r3FpxGtXbsxDAo6eDNdQMbQHSTWKDRY3XTuQnN35A
         4FGqyFhmfqFBRLVf0bq6h+gPlHgEf2PY5yYQlvooKlquTsGVGLGKg+2MP9mYajq/yeIm
         +rHFD3AqFcJPK2g3fPEU5LwTzmqfOUycd+9Kq3SfE8YqngV+W5LqmJAOtn1xNLXyhPRz
         NQWiDAmEnClGqNyGEGJ3NNRxwG/VOD74mgOxfUwoOiUZacPpJiD/CT+9t+uTNQSibiqY
         Eutw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dmarc-filter:sender
         :dkim-signature;
        bh=6/8CU9vBllQurwHkyrCC6BtyFkriI4uIyyTpPi4eOD4=;
        b=c6/c0q0VX65vp5v//aANVaCdygPOJsJSkrjR9njrMJtLEFVdZZchjDKU0lkWcWu+bW
         Z51HhFH77qd26EJUs2zIktwJqu5D9/di72LYrX7Mx3PjWXe97HpCJw4fCImfZl/84fht
         iDWob7ShJESBhYQmSwtZ4O1Ve+tWSs9aL+a2+hq3cesXqryl/8yPA07v1KJeYkDJR0XE
         fn3/GAUFDKvPvqvY4uNrm+CUpGLtAmbHGl8JzgO041kXtoVBlJOAktS4ntJe31WyJ6Ae
         XH39sQlwSyr9bg3YYCUX4PMVS2DKEvZ8TFWLCT1OzDf7yGW2DWnl8uFvawkzrIG4kFnx
         3WgA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=L7yPPdEV;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a3si8012324ioc.79.2021.09.13.17.48.17;
        Mon, 13 Sep 2021 17:48:29 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=L7yPPdEV;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1346294AbhIMSEe (ORCPT <rfc822;liu.airalert@gmail.com>
        + 99 others); Mon, 13 Sep 2021 14:04:34 -0400
Received: from so254-9.mailgun.net ([198.61.254.9]:63645 "EHLO
        so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235491AbhIMSEe (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 13 Sep 2021 14:04:34 -0400
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
 s=smtp; t=1631556198; h=Content-Transfer-Encoding: MIME-Version:
 Message-Id: Date: Subject: Cc: To: From: Sender;
 bh=6/8CU9vBllQurwHkyrCC6BtyFkriI4uIyyTpPi4eOD4=; b=L7yPPdEVugTE5MZhv5h1XTI4XSyS2sVUFEm5LMBlLJVCL9T8hnu9Y9VfvR82esCSMKdQPsol
 qFhbOv67uPAr3ZUqDbfznAKkWOxqOPm80CoN3MeDdGb8GCoQVswrD8zz5qz0mBjqla/1y2df
 OLJeDkzoBy0DqCf5igY0p2VKRaA=
X-Mailgun-Sending-Ip: 198.61.254.9
X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0=
Received: from smtp.codeaurora.org
 (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
 smtp-out-n02.prod.us-west-2.postgun.com with SMTP id
 613f9253e0f78151d6ce5a19 (version=TLS1.2,
 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Mon, 13 Sep 2021 18:02:59
 GMT
Sender: jouni=codeaurora.org@mg.codeaurora.org
Received: by smtp.codeaurora.org (Postfix, from userid 1001)
        id A77E3C4360D; Mon, 13 Sep 2021 18:02:59 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
        aws-us-west-2-caf-mail-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL,
        URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from jouni.codeaurora.org (85-76-72-211-nat.elisa-mobile.fi [85.76.72.211])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: jouni)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id F13B2C4338F;
        Mon, 13 Sep 2021 18:02:57 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org F13B2C4338F
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=codeaurora.org
From:   Jouni Malinen <jouni@codeaurora.org>
To:     Kalle Valo <kvalo@codeaurora.org>
Cc:     ath11k@lists.infradead.org, linux-wireless@vger.kernel.org,
        Baochen Qiang <bqiang@codeaurora.org>,
        Jouni Malinen <jouni@codeaurora.org>
Subject: [PATCH 1/5] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets
Date:   Mon, 13 Sep 2021 21:02:42 +0300
Message-Id: <20210913180246.193388-1-jouni@codeaurora.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Baochen Qiang <bqiang@codeaurora.org>

For fragmented packets, ath11k reassembles each fragment as a normal
packet and then reinjects it into HW ring. In this case, the DMA
direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise
invalid payload will be reinjected to HW and then delivered to host.
What is more, since arbitrary memory could be allocated to the frame, we
don't know what kind of data is contained in the buffer reinjected.
Thus, as a bad result, private info may be leaked.

Note that this issue is only found on Intel platform.

Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Signed-off-by: Baochen Qiang <bqiang@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 90da56316e7e..0c27eead3e02 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -3434,7 +3434,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti
 
 	paddr = dma_map_single(ab->dev, defrag_skb->data,
 			       defrag_skb->len + skb_tailroom(defrag_skb),
-			       DMA_FROM_DEVICE);
+			       DMA_TO_DEVICE);
 	if (dma_mapping_error(ab->dev, paddr))
 		return -ENOMEM;
 
-- 
2.25.1