From nobody Fri Jun 12 22:50:35 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3A8383630B2 for ; Tue, 12 May 2026 02:24:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778552643; cv=none; b=qAV2ZD5NzczeoaFtu5Y+WhB18+44/ntf/LoVBi5SmSVHZbRKq4+U+Ufj1NBWm+q8hkZA5sg0/oPCoRjaQyMzb48AiWyVnOvtauI57PllagFb6DR9oYcG8DuraHTIFGYspBEMrF3OQqvdD+9Mgg2G5qx0VF+p9+Yi9Dgb7tmuu8I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778552643; c=relaxed/simple; bh=ExgOHaVKcNUPGCyLrKtdzPOXtp8E34JaZXanUGoXV0Y=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=V3Qy/y4uGITTZk9Ii0H33nClTi+WDb84gCYHsajfu1gxVpu9Ulaz9uPgM8btPFAR7hzlVbTcQYC2TYhmiiKBQPddZVLHxnrlt0G5z76hqIGzNuIYnS/uJJ+/Q2EwFt20eKZQy/OSUXc6ewTMVIUB+Jhz6B42ZQLno62advpvZ5w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=Eo9tHR3A; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=iMzdyfjc; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="Eo9tHR3A"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="iMzdyfjc" Received: from pps.filterd (m0279870.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64BK7sxA2172407 for ; Tue, 12 May 2026 02:24:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=vHuEOWTWgku FCgRCml8bt7nPD8/09L3zu8ijOwpUPws=; b=Eo9tHR3AVszig8PXZK7//OygSEa mfAMvqEh2o8mzVDkFu2ZbTUxZv/96QNGEf3SOoD/meaaAsnMP+y5hkcl32RvFqAP XSFA7IbkYxFNstTOzZeJf6FersXOmLvkdRBH+EvYRFMbfnKHn3hkcbMgr7B8AvLW fawyVruhB2uTuPialscJaE8Roog6lHxMEyRsAcem0cleEwUE0ttpqzPXfr66nNWx gBxes5lVGU6eQ5NjCh8M7TMKFLafwpABlpzSyWdLJYeIrDac/vmU2GpUjMSJHpDq 688/qyKkRWZ5fNMQNETXD3XysXg2Mp0tfjD/Qjc28hcXA3PKl5Ta9dmz1SQ== Received: from mail-pg1-f197.google.com (mail-pg1-f197.google.com [209.85.215.197]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e3nvj93ej-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 12 May 2026 02:24:01 +0000 (GMT) Received: by mail-pg1-f197.google.com with SMTP id 41be03b00d2f7-c829586e894so752785a12.2 for ; Mon, 11 May 2026 19:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1778552640; x=1779157440; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=vHuEOWTWgkuFCgRCml8bt7nPD8/09L3zu8ijOwpUPws=; b=iMzdyfjcWoNd6X7Kr8HusTbR1J/+S/1UvyX1LzigzNZZJ+VHs9BGoTudytmFSLLv2H j6aQ37qGWL6dMArl0RQagc6t/TEr/P+/fAtG7Kq6YMEfWIOb5tbjQWo2FSvvZUUJbsFh +ardd3al1ajPhTtpVKn1pVSPRe8+wlZ+FVjtCtF0u5mF6AT+bgUf1+reacV6Ge0mJwvk myxFIL8tY91XbNlQg9J7/dFo/UGZp3UiB2pvoV8bMf6kCffVWmYCNiNAPZRJvNLF8YsV Ooq2+rjZcRLNboTZUFjoOUj5/Jqu93yKQmPwFcbTlaTbPIFzPCka79K+rI0pbwKvEiMv hKSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778552640; x=1779157440; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=vHuEOWTWgkuFCgRCml8bt7nPD8/09L3zu8ijOwpUPws=; b=btO/WtuJxKzd1OUvq9w4XNCIxT20nUJUU9aCuGkLpAVhlG3a5+s/JYbik779SUBuX3 KyR7oCLv7FBFWmZhIfzWO/zaQg/2VvNycRrX4XyFvcfz71FygWuqPHre/6CMw3d875G4 rRMBsdzH5PCiDnmUk/etrbBNo0Jb32B49vnBiAvNDvCN3+3qhQRnlVxaQ/y4E1ZaSfCu JwJD/iWomprwpP1bKVf0fWoOPmdexf0gmKecuIysG9u345QHhHoezaU9a7YqoB+HMSmG /zJ8h0MDWA3gO+t4x2YC6E+EoF2DNS7ojdcak3WnU4Yh7DUJE9wI2wfIWSMeJTwmtnok 7Wgw== X-Forwarded-Encrypted: i=1; AFNElJ+roNxKy66LNr38pwswEZQAJfhziZfFwgzM4n2JnMH3yh0f4UP5bQaYP7j23zCipBkULL096chBPJIwa9k=@vger.kernel.org X-Gm-Message-State: AOJu0YyBJ6wNISylAecTyU0eOZ70NtqFiSZwGZvOC8gaQU8RmMc4AGJq qB+G07IGFKnAEEqVpBomPVCyx6CQR+yie79OvXA5FdfQQOumVmIA7tAYDYmCVdSmNgtIHHbcjMe YQy/+divXd7rVa18YgdX4hAAqYEl+DaSHWlcRm0rz/7HDi8ba22/RzZYy4x34hVQ2p0Y= X-Gm-Gg: Acq92OHZwLwr9i7zKIpdm7O1g2mYWFN5iIKJ6acXF2Il0e93rGxTdXKXSa4LNnVFQyn RT3wmhZvSfsR9tIfJ5K4I4VxZPuAGkiqxKgrvJWpQUaMR4hNqznMA7jxgC9LKKOlzJwZRunJkxU MPAWcE9QnbR/hYrr5J2PUig9TrQMC7/d2o/m7JdUe/7FKrVHEA9fveWnwDlqRkRZ+tlpkG2LJbZ CNJeS4YjtiSpqJmkzvNyL1N58GArLAV40LN0llC1kY5J1MBcP1vc7MeDZ7Y/p2xM8bneLDP/bc5 dZdK2Py4bPyclSrJPWaVxq9vw9FZEJ4tsDXs/3jk02omZ8VuO4vL+wb2iR2i7dScTmu1o+Hjb2D +7q27FGCtp69uFTNoyNg0rKVpCwltFaE6L63E2nzOmCk3l3vWdTLvh3Z/PM+u44YJ8xbKQbf13n /Z1Z5A X-Received: by 2002:aa7:9314:0:b0:82f:5d4f:7355 with SMTP id d2e1a72fcca58-83eebc2c657mr972672b3a.33.1778552639862; Mon, 11 May 2026 19:23:59 -0700 (PDT) X-Received: by 2002:aa7:9314:0:b0:82f:5d4f:7355 with SMTP id d2e1a72fcca58-83eebc2c657mr972652b3a.33.1778552639338; Mon, 11 May 2026 19:23:59 -0700 (PDT) Received: from Z2-SFF-G9-MQ.ap.qualcomm.com (i-global052.qualcomm.com. [199.106.103.52]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83967dbcf16sm25199256b3a.40.2026.05.11.19.23.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 19:23:59 -0700 (PDT) From: Miaoqing Pan To: jjohnson@kernel.org Cc: ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Miaoqing Pan Subject: [PATCH ath-next 1/2] wifi: ath11k: fix invalid data access in ath11k_dp_rx_h_undecap_nwifi Date: Tue, 12 May 2026 10:23:50 +0800 Message-Id: <20260512022351.2033155-2-miaoqing.pan@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260512022351.2033155-1-miaoqing.pan@oss.qualcomm.com> References: <20260512022351.2033155-1-miaoqing.pan@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: ZbxS18GZQmYQVxZdj0uQv_hC9ADLUXRq X-Proofpoint-GUID: ZbxS18GZQmYQVxZdj0uQv_hC9ADLUXRq X-Authority-Analysis: v=2.4 cv=H8brBeYi c=1 sm=1 tr=0 ts=6a028f41 cx=c_pps a=rz3CxIlbcmazkYymdCej/Q==:117 a=b9+bayejhc3NMeqCNyeLQQ==:17 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=gowsoOTTUOVcmtlkKump:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=pyFkC3i_6phWDu-JDTMA:9 a=bFCP_H2QrGi7Okbo017w:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTEyMDAyMCBTYWx0ZWRfX7BN1MBe+6hXL ng/yVAniORX7Y7pScyJeP3eDyZVKS5CuMrf5d18Cox4KOAA+mV6YgM7AUG35gSbFq9HChSLfyhb x+vJwNB/exMcQhmccRd/7UG3DTGmX1ZM7uvTVLOY13t7B3dK5Y5xlHZpkc3UznK7NUv1OjBC2A6 Di3wYCTGm5tP21TkuOKsNnI+QVKSnhh/h+QRJkQ54NJ8t+C94KY7nKGMRFwAkqlduz/Fdw9OZWC 6VnpNL1Ti7yQBCl/tYziX9nDE/0uZmesyKBMpHZdS49Q7kOeDi+cInLMF65ZVe4rTaDGaiN3STn VJrR8cGOZmHjCqemmKAPi5ryfuJy6iAKUm1TKLSLGOqwM260zU226ZZOuZIZn620o+V59Lq3c5f R+Bk9e4BVlcMBZtIc+CZEUoHKexN2FHro2IOXvS6S7kPzk7WTl54gpah5L2AKcA/usmYKMpKZ4G GePwWG2YUMEEYpGEUhw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-11_05,2026-05-08_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 clxscore=1015 impostorscore=0 malwarescore=0 phishscore=0 spamscore=0 bulkscore=0 suspectscore=0 priorityscore=1501 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605050000 definitions=main-2605120020 Content-Type: text/plain; charset="utf-8" In certain cases, hardware might provide packets with a length greater than the maximum native Wi-Fi header length. This can lead to accessing and modifying fields in the header within the ath11k_dp_rx_h_undecap_nwifi() function for the DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and potentially result in invalid data access and memory corruption. Kernel stack is corrupted in: ath11k_dp_rx_h_undecap+0x6b0/0x6b0 [ath11k] Call trace: ath11k_dp_rx_h_mpdu+0x0/0x2e8 [ath11k] ath11k_dp_rx_h_mpdu+0x1e0/0x2e8 [ath11k] ath11k_dp_rx_wbm_err+0x1e0/0x450 [ath11k] ath11k_dp_rx_process_wbm_err+0x2fc/0x460 [ath11k] ath11k_dp_service_srng+0x2e0/0x348 [ath11k] Add a sanity check before processing the SKB to prevent invalid data access in the undecap native Wi-Fi function for the DP_RX_DECAP_TYPE_NATIVE_WIFI decap type. This adapted from the discussion/patch of the ath12k driver [1]. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_I= OE-1 Link: https://lore.kernel.org/linux-wireless/20250211090302.4105141-1-tamiz= h.raja@oss.qualcomm.com/ # [1] Signed-off-by: Miaoqing Pan Reviewed-by: Baochen Qiang Reviewed-by: Rameshkumar Sundaram --- drivers/net/wireless/ath/ath11k/dp_rx.c | 50 +++++++++++++++++++++++-- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless= /ath/ath11k/dp_rx.c index fe79109adc70..fbe2061a544d 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -2502,6 +2502,29 @@ static void ath11k_dp_rx_deliver_msdu(struct ath11k = *ar, struct napi_struct *nap ieee80211_rx_napi(ar->hw, pubsta, msdu, napi); } =20 +static bool ath11k_dp_rx_check_nwifi_hdr_len_valid(struct ath11k_base *ab, + struct hal_rx_desc *rx_desc, + struct sk_buff *msdu) +{ + struct ieee80211_hdr *hdr; + u8 decap_type; + u32 hdr_len; + + decap_type =3D ath11k_dp_rx_h_msdu_start_decap_type(ab, rx_desc); + if (decap_type !=3D DP_RX_DECAP_TYPE_NATIVE_WIFI) + return true; + + hdr =3D (struct ieee80211_hdr *)msdu->data; + hdr_len =3D ieee80211_hdrlen(hdr->frame_control); + + if ((likely(hdr_len <=3D DP_MAX_NWIFI_HDR_LEN))) + return true; + + ab->soc_stats.invalid_rbm++; + WARN_ON_ONCE(1); + return false; +} + static int ath11k_dp_rx_process_msdu(struct ath11k *ar, struct sk_buff *msdu, struct sk_buff_head *msdu_list, @@ -2572,6 +2595,11 @@ static int ath11k_dp_rx_process_msdu(struct ath11k *= ar, } } =20 + if (unlikely(!ath11k_dp_rx_check_nwifi_hdr_len_valid(ab, rx_desc, msdu)))= { + ret =3D -EINVAL; + goto free_out; + } + ath11k_dp_rx_h_ppdu(ar, rx_desc, rx_status); ath11k_dp_rx_h_mpdu(ar, msdu, rx_desc, rx_status); =20 @@ -3261,6 +3289,12 @@ static int ath11k_dp_rx_h_verify_tkip_mic(struct ath= 11k *ar, struct ath11k_peer RX_FLAG_IV_STRIPPED | RX_FLAG_DECRYPTED; skb_pull(msdu, hal_rx_desc_sz); =20 + if (unlikely(!ath11k_dp_rx_check_nwifi_hdr_len_valid(ar->ab, rx_desc, + msdu))) { + dev_kfree_skb_any(msdu); + return -EINVAL; + } + ath11k_dp_rx_h_ppdu(ar, rx_desc, rxs); ath11k_dp_rx_h_undecap(ar, msdu, rx_desc, HAL_ENCRYPT_TYPE_TKIP_MIC, rxs, true); @@ -3953,6 +3987,10 @@ static int ath11k_dp_rx_h_null_q_desc(struct ath11k = *ar, struct sk_buff *msdu, skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len); skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes); } + + if (unlikely(!ath11k_dp_rx_check_nwifi_hdr_len_valid(ar->ab, desc, msdu))) + return -EINVAL; + ath11k_dp_rx_h_ppdu(ar, desc, status); =20 ath11k_dp_rx_h_mpdu(ar, msdu, desc, status); @@ -3997,7 +4035,7 @@ static bool ath11k_dp_rx_h_reo_err(struct ath11k *ar,= struct sk_buff *msdu, return drop; } =20 -static void ath11k_dp_rx_h_tkip_mic_err(struct ath11k *ar, struct sk_buff = *msdu, +static bool ath11k_dp_rx_h_tkip_mic_err(struct ath11k *ar, struct sk_buff = *msdu, struct ieee80211_rx_status *status) { u16 msdu_len; @@ -4005,6 +4043,7 @@ static void ath11k_dp_rx_h_tkip_mic_err(struct ath11k= *ar, struct sk_buff *msdu, u8 l3pad_bytes; struct ath11k_skb_rxcb *rxcb =3D ATH11K_SKB_RXCB(msdu); u32 hal_rx_desc_sz =3D ar->ab->hw_params.hal_desc_sz; + struct ath11k_base *ab =3D ar->ab; =20 rxcb->is_first_msdu =3D ath11k_dp_rx_h_msdu_end_first_msdu(ar->ab, desc); rxcb->is_last_msdu =3D ath11k_dp_rx_h_msdu_end_last_msdu(ar->ab, desc); @@ -4014,6 +4053,9 @@ static void ath11k_dp_rx_h_tkip_mic_err(struct ath11k= *ar, struct sk_buff *msdu, skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len); skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes); =20 + if (unlikely(!ath11k_dp_rx_check_nwifi_hdr_len_valid(ab, desc, msdu))) + return true; + ath11k_dp_rx_h_ppdu(ar, desc, status); =20 status->flag |=3D (RX_FLAG_MMIC_STRIPPED | RX_FLAG_MMIC_ERROR | @@ -4021,19 +4063,21 @@ static void ath11k_dp_rx_h_tkip_mic_err(struct ath1= 1k *ar, struct sk_buff *msdu, =20 ath11k_dp_rx_h_undecap(ar, msdu, desc, HAL_ENCRYPT_TYPE_TKIP_MIC, status, false); + + return false; } =20 static bool ath11k_dp_rx_h_rxdma_err(struct ath11k *ar, struct sk_buff *m= sdu, struct ieee80211_rx_status *status) { struct ath11k_skb_rxcb *rxcb =3D ATH11K_SKB_RXCB(msdu); - bool drop =3D false; + bool drop; =20 ar->ab->soc_stats.rxdma_error[rxcb->err_code]++; =20 switch (rxcb->err_code) { case HAL_REO_ENTR_RING_RXDMA_ECODE_TKIP_MIC_ERR: - ath11k_dp_rx_h_tkip_mic_err(ar, msdu, status); + drop =3D ath11k_dp_rx_h_tkip_mic_err(ar, msdu, status); break; default: /* TODO: Review other rxdma error code to check if anything is --=20 2.34.1 From nobody Fri Jun 12 22:50:35 2026 Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23ED135F612 for ; Tue, 12 May 2026 02:24:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.180.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778552645; cv=none; b=izk53Jto+SDwk8IgfJ2IRH+yRt8msO6rQThXasNM7SlALNNmGiUDF0eW5tutQ8+GSlPDOGbf5a2Bc/4HzunH3AHQ5Rnk9KhI+m4WthqcPEl3EGRPSDgYbLXfPTb8f2P61pf8vxAcLgnL05hd19VkICBSQC768ko69qMpd8S1Dmo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778552645; c=relaxed/simple; bh=ShPdVghUhjVpekgUmJLaLvAYO0epA2adRUBRf/f4EyA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=eM2Xhas43+9PLPgn4mVT0euPkj4CiirZFSO1Det4rMfmLPRSFU7CWJk2kpJMK9L9/QJmx3CUl2JH6euzlhJoea3Br9TrTQTH0riX11phuBkfOSnW0PWq5gHNwpffjNzFmgI1oyMSSYvTtl+0vkUTnpRV/+Mtlx0Wxa3KGxXSuD0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com; spf=pass smtp.mailfrom=oss.qualcomm.com; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b=Ar/aVTTL; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b=CwC13A9U; arc=none smtp.client-ip=205.220.180.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oss.qualcomm.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=qualcomm.com header.i=@qualcomm.com header.b="Ar/aVTTL"; dkim=pass (2048-bit key) header.d=oss.qualcomm.com header.i=@oss.qualcomm.com header.b="CwC13A9U" Received: from pps.filterd (m0279873.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64BK6dRM2186196 for ; Tue, 12 May 2026 02:24:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= cc:content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=qcppdkim1; bh=036Lv6cF0PV z0F6Xudk21JbDMRzEenikh7GX3NZQ5lo=; b=Ar/aVTTLNkaXYOShCjKifxRPeaf 5ePAtsIXGA6Z24CRsxRHW926YDFHDPRyH0b435DXDPaJc+TjmJ6qGEFCvI4D4Jqu usqCNkcqhLEkF74JZR4cXVd/7Ng+FaEOSwkuVmpKsJSq1X3TqNTIOLsYdsLWHayY 3qjbaovyhAdWISRSj0wbnyn/llAN/FycRGCG2LtOTXYVEUNaCW2wHsZYTjXvJryf xjItF9JkqPYWoFB8UhCYgXH7JD/3qXud3SY8IIXr3dbTKIk5LcGmPyFMXwZRhdpe vbWRRAwy4cIe3uozpT2BDA6M8GrtpUWt8+c7f4z2hHuCEQMf7ehkWXd4vVA== Received: from mail-pf1-f199.google.com (mail-pf1-f199.google.com [209.85.210.199]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e3nv292ve-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 12 May 2026 02:24:03 +0000 (GMT) Received: by mail-pf1-f199.google.com with SMTP id d2e1a72fcca58-82f7bec24fdso2909845b3a.2 for ; Mon, 11 May 2026 19:24:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1778552642; x=1779157442; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=036Lv6cF0PVz0F6Xudk21JbDMRzEenikh7GX3NZQ5lo=; b=CwC13A9Ur5xNaicr4VvHuYjedM8J/gK6CBc2qhaF5NfdWYJKFED/UBJ1SnGoDtLe+j KdU3agNH/NwH26My4xnuBwr/NAyFimB3NGmYbR4xZyOdcKhGR+fmojpinwpNYJaJEeML 7iAXSUx+1BHhRYWwsRDynFImnAbS3/OgfmpFQtc+mSpCUrz9E3cRhtWJ2f0KJZJ/8jGR 7Zn8OCBThn/LwV49OiWXjjCFG8WzOe3FcwlJr8Ht2cv08T+q50/ssIS7DV7sK124n56m STUVm15TJKjpA0VnOOnQcVgnqipuM7gkbs8DtC0wan397vQEVYyG83deoYkljm/pFQxn /1VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778552642; x=1779157442; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=036Lv6cF0PVz0F6Xudk21JbDMRzEenikh7GX3NZQ5lo=; b=lp1jJ+bNu8tRq/Dmo5KRc0ka+ad/80GRDO9rylLwrjGDIttdzcv2AESBzCYxTZB9g4 x17G/35y0Lu1TFUegFOIm4EllTGJh73w1CvyJrLONN07yhYLwdlA0ebWH9tvcAAOB31F g7Q0yTwFAkkD/yzGMvmN/DcYc8F8xZ+OI6Z2ZsYCVzV6hYESqoMhmGyZMsFHZuE1NepY a7ecpPDBxQiuH6Kl7zvLp3x10gJZJKmq5qEHkU5TV8QNdcSfVNBV3P1bWhUGWPbDsj/u 4r5SJw4fg/OK4WvvtyrVv5RH6iAHORnYc7Q1243sxcDHT79CsOECHOx6rDfFHXX6VCp3 WL7g== X-Forwarded-Encrypted: i=1; AFNElJ+dNWKqioJLaO4wFaYegX/I6ZsGUw+iTL5la6UiXYBbREU7yQZOj78da/2nar4JQ4160u525dvykaTMp+0=@vger.kernel.org X-Gm-Message-State: AOJu0YwHddO1Z+2u0kjLcTJlZ7m1OskJ7UZ4IpfU/BNm0s5bpFoTMP4Y b+Epd4RhtlcmUPy4d1F2/AxtVUs4x8wq2X0ljBlUTBpUM62InjlPqSmdbHsJdWfib0h/RCesZqY OVQUa3ANxrEG9TcLpN1hZLc6EwuGST92MERMZKB6T2KtMnDj3PZd9ZG8KjvKs9qrJfmQ= X-Gm-Gg: Acq92OET+8XWS88Nlylwo+fI4jH5xM9Spx39XY1FmsXxerLOC66hT4ww0kDzmtGZNqm eVCiIUTDEcuoYjnDPoCYG4FqVQdyhuI67wh/1H93dBWbKClCY76UxYJDDvZpVDY/59HiRgP/FpM +/8I8IrDZ/TymbxVDlH2ZoVDQu9UlCMzB/xr73/LDNQuShYJkiFkgC3ZucFurnozbUueKCirhLi kQ9TAZJ6h1iBy89b55gJ7rAGxQSpHwlsXBkP2bR8Tx+74Jxg+J400mSIBG0yO27Xcz09rFq93fm OQRFXEcxl+GIwBBL5U2mOnLoSGg7ihuX9BfKat+45vMl+Ts5DcsjD+9dRx0+ses8Fqex3mNxqiv U7M2T03fikD77CkEDQBBiaQKZ/lk8/6nSfVWsfccoHYxTajFCp4IGGKgydtItoe/ONEoIyGOFmI /T2EJl X-Received: by 2002:a05:6a00:1bc9:b0:82c:d7c4:4c5c with SMTP id d2e1a72fcca58-83a5bae02b6mr24671157b3a.20.1778552642092; Mon, 11 May 2026 19:24:02 -0700 (PDT) X-Received: by 2002:a05:6a00:1bc9:b0:82c:d7c4:4c5c with SMTP id d2e1a72fcca58-83a5bae02b6mr24671129b3a.20.1778552641599; Mon, 11 May 2026 19:24:01 -0700 (PDT) Received: from Z2-SFF-G9-MQ.ap.qualcomm.com (i-global052.qualcomm.com. [199.106.103.52]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-83967dbcf16sm25199256b3a.40.2026.05.11.19.23.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 May 2026 19:24:01 -0700 (PDT) From: Miaoqing Pan To: jjohnson@kernel.org Cc: ath11k@lists.infradead.org, linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org, Miaoqing Pan Subject: [PATCH ath-next 2/2] wifi: ath11k: add MSDU length validation for TKIP MIC error Date: Tue, 12 May 2026 10:23:51 +0800 Message-Id: <20260512022351.2033155-3-miaoqing.pan@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20260512022351.2033155-1-miaoqing.pan@oss.qualcomm.com> References: <20260512022351.2033155-1-miaoqing.pan@oss.qualcomm.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-ORIG-GUID: boZnLLAdnRh67b_OTBDILNiuhuaRyQ1N X-Authority-Analysis: v=2.4 cv=CeM4Irrl c=1 sm=1 tr=0 ts=6a028f43 cx=c_pps a=WW5sKcV1LcKqjgzy2JUPuA==:117 a=b9+bayejhc3NMeqCNyeLQQ==:17 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=rJkE3RaqiGZ5pbrm-msn:22 a=VwQbUJbxAAAA:8 a=EUspDBNiAAAA:8 a=7QbXSr-hkXkeXhD5LnUA:9 a=OpyuDcXvxspvyRM73sMx:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTEyMDAyMCBTYWx0ZWRfX7DS+sy00/uJj vuZQa2HlfNFh0/JtJkqxSM6Z67X7p41PBuqrz0RuzTzj5a165+ePV5QI+dXSkaJ/5T/Pdi1eaAG +qp/liBjusuxaDV5TObWg8xnYA162kwUpbsOeGZhzSJnzgQ5mP0uHQqFGNVUi5WE5uO4FWIoFm7 aZEv4M+dc59OLNGXUubB4W4XtoXr09cHfzXdiGbjQDpXtFLYPE2Vnd455gLknEK8wnVfudYHheV xnASXJm0+q2A7y+aH28NJYArpnYLY6vRYcFxynvxrEh/Cvq7TALj8bGlVA5z3TNXoO9JstMjNzT CQDZ1/RdqpwxyWyPYEZVsVZdlarQ6ApOwzxCg7sRHz8+JJwVl0hk/ztfQk1UIyYkexmmSnLwB70 X4ijeaXRpSci4zR34OghGpOnsiVi80jMyYBrRzTsdOCaHuVloDEPjzHpNyvRcnalK2kHHlgvXu1 KvzSPi/jbJB/u5Y7ZNQ== X-Proofpoint-GUID: boZnLLAdnRh67b_OTBDILNiuhuaRyQ1N X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-11_05,2026-05-08_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 phishscore=0 suspectscore=0 malwarescore=0 clxscore=1015 lowpriorityscore=0 spamscore=0 adultscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605050000 definitions=main-2605120020 Content-Type: text/plain; charset="utf-8" In the WBM error path, while processing TKIP MIC errors, MSDU length is fetched from the hal_rx_desc's msdu_end. This MSDU length is directly passed to skb_put() without validation. In stress test scenarios, the WBM error ring may receive invalid descriptors, which could lead to an invalid MSDU length. To fix this, add a check to drop the skb when the calculated MSDU length is greater than the skb size. This is adapted from the discussion/patch of the ath12k driver [1]. Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_I= OE-1 Link: https://lore.kernel.org/linux-wireless/20250416021903.3178962-1-nithy= anantham.paramasivam@oss.qualcomm.com/ # [1] Signed-off-by: Miaoqing Pan Reviewed-by: Baochen Qiang Reviewed-by: Rameshkumar Sundaram --- drivers/net/wireless/ath/ath11k/dp_rx.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless= /ath/ath11k/dp_rx.c index fbe2061a544d..9c31bb7efcc8 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -4050,6 +4050,15 @@ static bool ath11k_dp_rx_h_tkip_mic_err(struct ath11= k *ar, struct sk_buff *msdu, =20 l3pad_bytes =3D ath11k_dp_rx_h_msdu_end_l3pad(ar->ab, desc); msdu_len =3D ath11k_dp_rx_h_msdu_start_msdu_len(ar->ab, desc); + + if (unlikely(hal_rx_desc_sz + l3pad_bytes + msdu_len > DP_RX_BUFFER_SIZE)= ) { + ath11k_dbg(ab, ATH11K_DBG_DATA, + "invalid msdu len in tkip mic err %u\n", msdu_len); + ath11k_dbg_dump(ab, ATH11K_DBG_DATA, NULL, "", desc, + sizeof(*desc)); + return true; + } + skb_put(msdu, hal_rx_desc_sz + l3pad_bytes + msdu_len); skb_pull(msdu, hal_rx_desc_sz + l3pad_bytes); =20 --=20 2.34.1