Patch "ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:10:43 -0500

This is a note to let you know that I've just added the patch titled

    ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ath11k-change-dma_from_device-to-dma_to_device-when-.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e5d9c00b2ec9ac44e836d79f40b3275e5cb7b262
Author: Baochen Qiang <bqiang@xxxxxxxxxxxxxx>
Date:   Tue Sep 28 14:00:46 2021 +0300

    ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets
    
    [ Upstream commit 86a03dad0f5ad8182ed5fcf7bf3eec71cd96577c ]
    
    For fragmented packets, ath11k reassembles each fragment as a normal
    packet and then reinjects it into HW ring. In this case, the DMA
    direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise
    invalid payload will be reinjected to HW and then delivered to host.
    What is more, since arbitrary memory could be allocated to the frame, we
    don't know what kind of data is contained in the buffer reinjected.
    Thus, as a bad result, private info may be leaked.
    
    Note that this issue is only found on Intel platform.
    
    Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
    Signed-off-by: Baochen Qiang <bqiang@xxxxxxxxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20210916064617.20006-1-bqiang@xxxxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 603d2f93ac18f..d4f7304a35ec1 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -3315,7 +3315,7 @@ static int ath11k_dp_rx_h_defrag_reo_reinject(struct ath11k *ar, struct dp_rx_ti
 
 	paddr = dma_map_single(ab->dev, defrag_skb->data,
 			       defrag_skb->len + skb_tailroom(defrag_skb),
-			       DMA_FROM_DEVICE);
+			       DMA_TO_DEVICE);
 	if (dma_mapping_error(ab->dev, paddr))
 		return -ENOMEM;
 
@@ -3380,7 +3380,7 @@ err_free_idr:
 	spin_unlock_bh(&rx_refill_ring->idr_lock);
 err_unmap_dma:
 	dma_unmap_single(ab->dev, paddr, defrag_skb->len + skb_tailroom(defrag_skb),
-			 DMA_FROM_DEVICE);
+			 DMA_TO_DEVICE);
 	return ret;
 }
 






