Baochen Qiang <bqiang@xxxxxxxxxxxxxx> wrote: > For fragmented packets, ath11k reassembles each fragment as a normal > packet and then reinjects it into HW ring. In this case, the DMA > direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise > invalid payload will be reinjected to HW and then delivered to host. > What is more, since arbitrary memory could be allocated to the frame, we > don't know what kind of data is contained in the buffer reinjected. > Thus, as a bad result, private info may be leaked. > > Note that this issue is only found on Intel platform. > > Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 > Signed-off-by: Baochen Qiang <bqiang@xxxxxxxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx> Patch applied to ath-next branch of ath.git, thanks. 86a03dad0f5a ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets -- https://patchwork.kernel.org/project/linux-wireless/patch/20210916064617.20006-1-bqiang@xxxxxxxxxxxxxx/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches