[openwrt/staging/ldir.git] /

From: Wen Gong <wgong@codeaurora.org>
Date: Tue, 11 May 2021 20:02:55 +0200
Subject: [PATCH] ath10k: drop MPDU which has discard flag set by firmware
 for SDIO

When the discard flag is set by the firmware for an MPDU, it should be
dropped. This allows a mitigation for CVE-2020-24588 to be implemented
in the firmware.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049

Cc: stable@vger.kernel.org
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---

--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -2312,6 +2312,11 @@ static bool ath10k_htt_rx_proc_rx_ind_hl
        fw_desc = &rx->fw_desc;
        rx_desc_len = fw_desc->len;
 
+       if (fw_desc->u.bits.discard) {
+               ath10k_dbg(ar, ATH10K_DBG_HTT, "htt discard mpdu\n");
+               goto err;
+       }
+
        /* I have not yet seen any case where num_mpdu_ranges > 1.
         * qcacld does not seem handle that case either, so we introduce the
         * same limitiation here as well.
--- a/drivers/net/wireless/ath/ath10k/rx_desc.h
+++ b/drivers/net/wireless/ath/ath10k/rx_desc.h
@@ -1282,7 +1282,19 @@ struct fw_rx_desc_base {
 #define FW_RX_DESC_UDP              (1 << 6)
 
 struct fw_rx_desc_hl {
-       u8 info0;
+       union {
+               struct {
+               u8 discard:1,
+                  forward:1,
+                  any_err:1,
+                  dup_err:1,
+                  reserved:1,
+                  inspect:1,
+                  extension:2;
+               } bits;
+               u8 info0;
+       } u;
+
        u8 version;
        u8 len;
        u8 flags;