From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ilan Peer <ilan.peer@intel.com>,
Luca Coelho <luciano.coelho@intel.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, davem@davemloft.net, kuba@kernel.org,
johannes.berg@intel.com, miriam.rachel.korenblit@intel.com,
avraham.stern@intel.com, emmanuel.grumbach@intel.com,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.16 166/217] iwlwifi: mvm: Fix calculation of frame length
Date: Mon, 17 Jan 2022 21:18:49 -0500 [thread overview]
Message-ID: <20220118021940.1942199-166-sashal@kernel.org> (raw)
In-Reply-To: <20220118021940.1942199-1-sashal@kernel.org>
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 40a0b38d7a7f91a6027287e0df54f5f547e8d27e ]
The RADA might include in the Rx frame the MIC and CRC bytes.
These bytes should be removed for non monitor interfaces and
should not be passed to mac80211.
Fix the Rx processing to remove the extra bytes on non monitor
cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211219121514.098be12c801e.I1d81733d8a75b84c3b20eb6e0d14ab3405ca6a86@changeid
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 27 +++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
index e0601f802628c..1e2a55ccf1926 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
@@ -121,12 +121,39 @@ static int iwl_mvm_create_skb(struct iwl_mvm *mvm, struct sk_buff *skb,
struct iwl_rx_mpdu_desc *desc = (void *)pkt->data;
unsigned int headlen, fraglen, pad_len = 0;
unsigned int hdrlen = ieee80211_hdrlen(hdr->frame_control);
+ u8 mic_crc_len = u8_get_bits(desc->mac_flags1,
+ IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK) << 1;
if (desc->mac_flags2 & IWL_RX_MPDU_MFLG2_PAD) {
len -= 2;
pad_len = 2;
}
+ /*
+ * For non monitor interface strip the bytes the RADA might not have
+ * removed. As monitor interface cannot exist with other interfaces
+ * this removal is safe.
+ */
+ if (mic_crc_len && !ieee80211_hw_check(mvm->hw, RX_INCLUDES_FCS)) {
+ u32 pkt_flags = le32_to_cpu(pkt->len_n_flags);
+
+ /*
+ * If RADA was not enabled then decryption was not performed so
+ * the MIC cannot be removed.
+ */
+ if (!(pkt_flags & FH_RSCSR_RADA_EN)) {
+ if (WARN_ON(crypt_len > mic_crc_len))
+ return -EINVAL;
+
+ mic_crc_len -= crypt_len;
+ }
+
+ if (WARN_ON(mic_crc_len > len))
+ return -EINVAL;
+
+ len -= mic_crc_len;
+ }
+
/* If frame is small enough to fit in skb->head, pull it completely.
* If not, only pull ieee80211_hdr (including crypto if present, and
* an additional 8 bytes for SNAP/ethertype, see below) so that
--
2.34.1
next prev parent reply other threads:[~2022-01-18 2:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20220118021940.1942199-1-sashal@kernel.org>
2022-01-18 2:16 ` [PATCH AUTOSEL 5.16 015/217] ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply Sasha Levin
2022-01-18 2:16 ` [PATCH AUTOSEL 5.16 024/217] ath11k: enable IEEE80211_VHT_EXT_NSS_BW_CAPABLE if NSS ratio enabled Sasha Levin
2022-01-18 2:16 ` [PATCH AUTOSEL 5.16 028/217] ath11k: Fix crash caused by uninitialized TX ring Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 059/217] ath11k: Fix mon status ring rx tlv processing Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 074/217] rtw89: fix potentially access out of range of RF register array Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 075/217] rtw88: add quirk to disable pci caps on HP 250 G7 Notebook PC Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 076/217] mwifiex: Fix skb_over_panic in mwifiex_usb_recv() Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 077/217] rsi: Fix use-after-free in rsi_rx_done_handler() Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 078/217] rsi: Fix out-of-bounds read in rsi_read_pkt() Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 079/217] ath11k: Avoid NULL ptr access during mgmt tx cleanup Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 104/217] iwlwifi: mvm: synchronize with FW after multicast commands Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 105/217] iwlwifi: mvm: avoid clearing a just saved session protection id Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 106/217] iwlwifi: acpi: fix wgds rev 3 size Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 109/217] ath11k: avoid deadlock by change ieee80211_queue_work for regd_update_work Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 110/217] ath10k: Fix tx hanging Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 111/217] rtw89: don't kick off TX DMA if failed to write skb Sasha Levin
2022-01-18 2:17 ` [PATCH AUTOSEL 5.16 113/217] ath10k: drop beacon and probe response which leak from other channel Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 120/217] ath11k: Avoid false DEADLOCK warning reported by lockdep Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 152/217] mt76: mt7615: fix possible deadlock while mt7615_register_ext_phy() Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 153/217] mt76: mt7915: fix SMPS operation fail Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 154/217] mt76: connac: fix a theoretical NULL pointer dereference in mt76_connac_get_phy_mode Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 155/217] mt76: do not pass the received frame with decryption error Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 156/217] mt76: mt7615: improve wmm index allocation Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 157/217] mt76: mt7921: fix network buffer leak by txs missing Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 158/217] ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep() Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 159/217] ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 160/217] ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 161/217] rtw88: 8822c: update rx settings to prevent potential hw deadlock Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 163/217] iwlwifi: recognize missing PNVM data and then log filename Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 164/217] iwlwifi: fix leaks/bad data after failed firmware load Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 165/217] iwlwifi: remove module loading failure message Sasha Levin
2022-01-18 2:18 ` Sasha Levin [this message]
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 167/217] iwlwifi: mvm: fix AUX ROC removal Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 168/217] iwlwifi: pcie: make sure prph_info is set when treating wakeup IRQ Sasha Levin
2022-01-18 2:18 ` [PATCH AUTOSEL 5.16 172/217] ath11k: Fix napi related hang Sasha Levin
2022-01-18 2:19 ` [PATCH AUTOSEL 5.16 195/217] mac80211: allow non-standard VHT MCS-10/11 Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220118021940.1942199-166-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=avraham.stern@intel.com \
--cc=davem@davemloft.net \
--cc=emmanuel.grumbach@intel.com \
--cc=ilan.peer@intel.com \
--cc=johannes.berg@intel.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
--cc=miriam.rachel.korenblit@intel.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).