[PATCH AUTOSEL 6.6 16/62] wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET

Tue Jun 3 18:01:27 PDT 2025

From: Kang Yang <kang.yang at oss.qualcomm.com>

[ Upstream commit a69bbf89d751ba2d6da21d773c4e29c91c5e53c4 ]

Currently, HAL_RX_MSDU_PKT_LENGTH_GET uses u32_get_bits to obtain the
MSDU length from the MSDU description.

This is not right. Because all halphy descriptions are little endian.

So use le32_get_bits for HAL_RX_MSDU_PKT_LENGTH_GET.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

Signed-off-by: Kang Yang <kang.yang at oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan at oss.qualcomm.com>
Link: https://patch.msgid.link/20250421023444.1778-9-kang.yang@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
Signed-off-by: Sasha Levin <sashal at kernel.org>
---

**YES** This commit should be backported to stable kernel trees as it
fixes a critical endianness bug that can cause data corruption and
system crashes. ## Analysis ### Nature of the Bug This is a **critical
endianness bug fix**, not a feature enhancement. The commit changes
`HAL_RX_MSDU_PKT_LENGTH_GET` from using `u32_get_bits` to
`le32_get_bits`. The issue is that the underlying data structure
`rx_msdu_desc` has `info0` declared as `__le32` (little-endian), but the
macro was treating it as native-endian. ### Critical Impact Areas **1.
Memory Safety & Data Corruption:** - The macro extracts MSDU (MAC
Service Data Unit) packet lengths from hardware descriptors - On big-
endian systems, `u32_get_bits` vs `le32_get_bits` would extract
completely wrong values - These incorrect lengths are used for buffer
bounds checking and memory allocation operations - This could lead to
buffer overflows, memory corruption, or kernel crashes **2. Cross-
Architecture Compatibility:** - This bug would manifest on big-endian
architectures (ARM BE, MIPS BE, PowerPC) - x86/x86_64 systems wouldn't
notice the bug due to little-endian architecture - The ath12k driver
supports multiple hardware variants that require correct endian handling
**3. Hardware Descriptor Consistency:** - Analysis shows the ath12k
driver predominantly uses `le32_get_bits` (287 instances vs 242
`u32_get_bits`) - All hardware-specific MSDU length extraction
consistently uses little-endian operations - The `struct rx_msdu_desc`
explicitly marks `info0` as `__le32`, confirming hardware uses little-
endian format ### Comparison with Similar Commits All the reference
commits marked "NO" were either: - Feature additions (A-MSDU indication
improvements) - Structural definition updates - Hardware descriptor
format corrections This commit differs fundamentally - it's fixing
actual data corruption that could cause crashes. ### Backporting
Justification - **Fixes user-affecting bug**: System crashes and data
corruption on big-endian systems - **Small and contained**: Single line
change with clear, targeted fix - **No architectural changes**: Only
corrects endianness handling - **Minimal regression risk**: Aligns code
with actual hardware behavior - **Critical subsystem**: Network packet
processing is core functionality This endianness bug represents exactly
the type of critical, low-risk fix that stable trees are designed to
address.

 drivers/net/wireless/ath/ath12k/hal_desc.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath12k/hal_desc.h b/drivers/net/wireless/ath/ath12k/hal_desc.h
index 6c17adc6d60b5..53d66c75344af 100644
--- a/drivers/net/wireless/ath/ath12k/hal_desc.h
+++ b/drivers/net/wireless/ath/ath12k/hal_desc.h
@@ -683,7 +683,7 @@ enum hal_rx_msdu_desc_reo_dest_ind {
 #define RX_MSDU_DESC_INFO0_DECAP_FORMAT		GENMASK(30, 29)
 
 #define HAL_RX_MSDU_PKT_LENGTH_GET(val)		\
-	(u32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH))
+	(le32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH))
 
 struct rx_msdu_desc {
 	__le32 info0;
-- 
2.39.5


