Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1130425pxb; Wed, 15 Sep 2021 23:49:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBiuRIa4ug5Nndo4syloDVbUQUEHCidq5iCA3Qltet7adsabmfACXgka+4HyouEr4Z+Wd6 X-Received: by 2002:a92:b702:: with SMTP id k2mr3013151ili.150.1631774975155; Wed, 15 Sep 2021 23:49:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631774975; cv=none; d=google.com; s=arc-20160816; b=kTkqUq3jrtNGCKWcjUuiHSBC7SlRpmoBS31spZwgep4XH8N3abdvB8hPsK53QBbIwt YWLr3KBTBldlnACMacFIriPZ9RbHFO7j7EZdozKK7Pi9tZiO5fPlZ9q9U77AjwAFTqgK 6KFduMQ6OH9S5BFpxyADRpXHrbl7mRYQHlX/zsEpco0y8l4LrQVPTlafgZI2l04BkzpQ UTBf9SVwG2P9DRq9Q/CdDNEUj4p8sd9x7MapJqfXyhG7/qxds07Epgpc7DrhQ5JNjCnM Ta+WyDTNji06W23k0XgIpKAjo/mD1N2hsmS1OfTEgIeSgWfM6YeyhyEU4/iNKMTr+5Jg Xurw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dmarc-filter:sender :dkim-signature; bh=JkEzmwhcD1G1npWXpvwD8q5eEbUERaH/Tj6iHU3w6sg=; b=F6yUIb85FQ0rX2dEbLsODf/MgjzDD5t2EBXOmJ7GV40z5MBPEuoMybujMK4iCEeZ6j 6GuTF6aahWi9C+5XlqZfwXw9tWAHvIUymyQuTz9gGxm94Jt2jFf6byQEm6bQg0HHCqAk 0UBXyd6LFWxQXk4jGPR/SctgcQQdhK2zMcV59wlb5QgB/+5peXSMfqETBWM7GAZwuEpu PuUPsnkWcU/xdCZf4W3NXJ2gQIZMG00mrtsU6gYWGfr92ytUqUqz3KDNZT7IbGmawouD YOMn1HLNdJLuLG0XJ3t2D2kQPM4XxMqQ7eU9Bt78gLFvYkTV/dAbp/tIvfwxMU0farZ/ J23Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Ty4Zkj8F; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x4si1836878ilj.121.2021.09.15.23.49.22; Wed, 15 Sep 2021 23:49:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=Ty4Zkj8F; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234552AbhIPGrv (ORCPT + 79 others); Thu, 16 Sep 2021 02:47:51 -0400 Received: from so254-9.mailgun.net ([198.61.254.9]:53494 "EHLO so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234539AbhIPGru (ORCPT ); Thu, 16 Sep 2021 02:47:50 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1631774791; h=Content-Transfer-Encoding: MIME-Version: Message-Id: Date: Subject: Cc: To: From: Sender; bh=JkEzmwhcD1G1npWXpvwD8q5eEbUERaH/Tj6iHU3w6sg=; b=Ty4Zkj8FgvhZMTeTLXLB7h2WQ4+ueofdpUVmRFpBfu1IV0UiiIJBVjKGUlv8szMJxnCvJ7gE G4KjSjVGu8FKnKgQcNyX0QN4/ibJdb25LPIX216TMEF61PFrta8WPTGGVi47dwAgUxhFY0uh N9b8Yr1YIhUdP90i+STPioDv7jg= X-Mailgun-Sending-Ip: 198.61.254.9 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n02.prod.us-west-2.postgun.com with SMTP id 6142e841e0f78151d6f44cbc (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Thu, 16 Sep 2021 06:46:25 GMT Sender: bqiang=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id D3972C4360D; Thu, 16 Sep 2021 06:46:24 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=ALL_TRUSTED,BAYES_00,SPF_FAIL autolearn=no autolearn_force=no version=3.4.0 Received: from bqiang-Celadon-RN.qca.qualcomm.com (unknown [180.166.53.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bqiang) by smtp.codeaurora.org (Postfix) with ESMTPSA id 9E92EC4338F; Thu, 16 Sep 2021 06:46:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org 9E92EC4338F Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=codeaurora.org From: Baochen Qiang To: ath11k@lists.infradead.org Cc: linux-wireless@vger.kernel.org Subject: [PATCH v2] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets Date: Thu, 16 Sep 2021 14:46:17 +0800 Message-Id: <20210916064617.20006-1-bqiang@codeaurora.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org For fragmented packets, ath11k reassembles each fragment as a normal packet and then reinjects it into HW ring. In this case, the DMA direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise invalid payload will be reinjected to HW and then delivered to host. What is more, since arbitrary memory could be allocated to the frame, we don't know what kind of data is contained in the buffer reinjected. Thus, as a bad result, private info may be leaked. Note that this issue is only found on Intel platform. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Baochen Qiang --- drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 90da56316e7e..a55dff784724 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -3434,7 +3434,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti paddr = dma_map_single(ab->dev, defrag_skb->data, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); if (dma_mapping_error(ab->dev, paddr)) return -ENOMEM; @@ -3499,7 +3499,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti spin_unlock_bh(&rx_refill_ring->idr_lock); err_unmap_dma: dma_unmap_single(ab->dev, paddr, defrag_skb->len + skb_tailroom(defrag_skb), - DMA_FROM_DEVICE); + DMA_TO_DEVICE); return ret; } -- 2.25.1