[PATCH 1/5] ath11k: Change DMA_FROM_DEVICE to DMA_TO_DEVICE when map reinjected packets
Kalle Valo
kvalo at codeaurora.org
Tue Sep 14 10:09:06 PDT 2021
Jouni Malinen <jouni at codeaurora.org> wrote:
> For fragmented packets, ath11k reassembles each fragment as a normal
> packet and then reinjects it into HW ring. In this case, the DMA
> direction should be DMA_TO_DEVICE, not DMA_FROM_DEVICE, otherwise
> invalid payload will be reinjected to HW and then delivered to host.
> What is more, since arbitrary memory could be allocated to the frame, we
> don't know what kind of data is contained in the buffer reinjected.
> Thus, as a bad result, private info may be leaked.
>
> Note that this issue is only found on Intel platform.
>
> Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
> Signed-off-by: Baochen Qiang <bqiang at codeaurora.org>
> Signed-off-by: Jouni Malinen <jouni at codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
Dropping due to the issue Peter found.
Patch set to Changes Requested.
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210913180246.193388-1-jouni@codeaurora.org/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
More information about the ath11k
mailing list