03bce4231ba4da5cdc488234553a149fce381e63
[openwrt/staging/jow.git] /
1 From: Wen Gong <wgong@codeaurora.org>
2 Date: Tue, 11 May 2021 20:02:55 +0200
3 Subject: [PATCH] ath10k: drop MPDU which has discard flag set by firmware
4 for SDIO
5
6 When the discard flag is set by the firmware for an MPDU, it should be
7 dropped. This allows a mitigation for CVE-2020-24588 to be implemented
8 in the firmware.
9
10 Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049
11
12 Cc: stable@vger.kernel.org
13 Signed-off-by: Wen Gong <wgong@codeaurora.org>
14 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
15 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
16 ---
17
18 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c
19 +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
20 @@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl
21 fw_desc = &rx->fw_desc;
22 rx_desc_len = fw_desc->len;
23
24 + if (fw_desc->u.bits.discard) {
25 + ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n");
26 + goto err;
27 + }
28 +
29 /* I have not yet seen any case where num_mpdu_ranges > 1.
30 * qcacld does not seem handle that case either, so we introduce the
31 * same limitiation here as well.
32 --- a/drivers/net/wireless/ath/ath10k/rx_desc.h
33 +++ b/drivers/net/wireless/ath/ath10k/rx_desc.h
34 @@ -1282,7 +1282,19 @@ struct fw_rx_desc_base {
35 #define FW_RX_DESC_UDP (1 << 6)
36
37 struct fw_rx_desc_hl {
38 - u8 info0;
39 + union {
40 + struct {
41 + u8 discard:1,
42 + forward:1,
43 + any_err:1,
44 + dup_err:1,
45 + reserved:1,
46 + inspect:1,
47 + extension:2;
48 + } bits;
49 + u8 info0;
50 + } u;
51 +
52 u8 version;
53 u8 len;
54 u8 flags;