--- /dev/null
+From 62a8ff67eba52dae9b107e1fb8827054ed00a265 Mon Sep 17 00:00:00 2001
+From: Sriram R <srirrama@codeaurora.org>
+Date: Tue, 11 May 2021 20:02:57 +0200
+Subject: ath10k: Validate first subframe of A-MSDU before processing the list
+
+From: Sriram R <srirrama@codeaurora.org>
+
+commit 62a8ff67eba52dae9b107e1fb8827054ed00a265 upstream.
+
+In certain scenarios a normal MSDU can be received as an A-MSDU when
+the A-MSDU present bit of a QoS header gets flipped during reception.
+Since this bit is unauthenticated, the hardware crypto engine can pass
+the frame to the driver without any error indication.
+
+This could result in processing unintended subframes collected in the
+A-MSDU list. Hence, validate A-MSDU list by checking if the first frame
+has a valid subframe header.
+
+Comparing the non-aggregated MSDU and an A-MSDU, the fields of the first
+subframe DA matches the LLC/SNAP header fields of a normal MSDU.
+In order to avoid processing such frames, add a validation to
+filter such A-MSDU frames where the first subframe header DA matches
+with the LLC/SNAP header pattern.
+
+Tested-on: QCA9984 hw1.0 PCI 10.4-3.10-00047
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sriram R <srirrama@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Link: https://lore.kernel.org/r/20210511200110.e6f5eb7b9847.I38a77ae26096862527a5eab73caebd7346af8b66@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/htt_rx.c | 61 ++++++++++++++++++++++++++++---
+ 1 file changed, 57 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
+@@ -1605,14 +1605,62 @@ static void ath10k_htt_rx_h_unchain(stru
+ ath10k_unchain_msdu(amsdu);
+ }
+
++static bool ath10k_htt_rx_validate_amsdu(struct ath10k *ar,
++ struct sk_buff_head *amsdu)
++{
++ u8 *subframe_hdr;
++ struct sk_buff *first;
++ bool is_first, is_last;
++ struct htt_rx_desc *rxd;
++ struct ieee80211_hdr *hdr;
++ size_t hdr_len, crypto_len;
++ enum htt_rx_mpdu_encrypt_type enctype;
++ int bytes_aligned = ar->hw_params.decap_align_bytes;
++
++ first = skb_peek(amsdu);
++
++ rxd = (void *)first->data - sizeof(*rxd);
++ hdr = (void *)rxd->rx_hdr_status;
++
++ is_first = !!(rxd->msdu_end.common.info0 &
++ __cpu_to_le32(RX_MSDU_END_INFO0_FIRST_MSDU));
++ is_last = !!(rxd->msdu_end.common.info0 &
++ __cpu_to_le32(RX_MSDU_END_INFO0_LAST_MSDU));
++
++ /* Return in case of non-aggregated msdu */
++ if (is_first && is_last)
++ return true;
++
++ /* First msdu flag is not set for the first msdu of the list */
++ if (!is_first)
++ return false;
++
++ enctype = MS(__le32_to_cpu(rxd->mpdu_start.info0),
++ RX_MPDU_START_INFO0_ENCRYPT_TYPE);
++
++ hdr_len = ieee80211_hdrlen(hdr->frame_control);
++ crypto_len = ath10k_htt_rx_crypto_param_len(ar, enctype);
++
++ subframe_hdr = (u8 *)hdr + round_up(hdr_len, bytes_aligned) +
++ crypto_len;
++
++ /* Validate if the amsdu has a proper first subframe.
++ * There are chances a single msdu can be received as amsdu when
++ * the unauthenticated amsdu flag of a QoS header
++ * gets flipped in non-SPP AMSDU's, in such cases the first
++ * subframe has llc/snap header in place of a valid da.
++ * return false if the da matches rfc1042 pattern
++ */
++ if (ether_addr_equal(subframe_hdr, rfc1042_header))
++ return false;
++
++ return true;
++}
++
+ static bool ath10k_htt_rx_amsdu_allowed(struct ath10k *ar,
+ struct sk_buff_head *amsdu,
+ struct ieee80211_rx_status *rx_status)
+ {
+- /* FIXME: It might be a good idea to do some fuzzy-testing to drop
+- * invalid/dangerous frames.
+- */
+-
+ if (!rx_status->freq) {
+ ath10k_dbg(ar, ATH10K_DBG_HTT, "no channel configured; ignoring frame(s)!\n");
+ return false;
+@@ -1623,6 +1671,11 @@ static bool ath10k_htt_rx_amsdu_allowed(
+ return false;
+ }
+
++ if (!ath10k_htt_rx_validate_amsdu(ar, amsdu)) {
++ ath10k_dbg(ar, ATH10K_DBG_HTT, "invalid amsdu received\n");
++ return false;
++ }
++
+ return true;
+ }
+
--- /dev/null
+From 7e768532b2396bcb7fbf6f82384b85c0f1d2f197 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 25 May 2021 13:17:19 -0400
+Subject: dm snapshot: properly fix a crash when an origin has no snapshots
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 7e768532b2396bcb7fbf6f82384b85c0f1d2f197 upstream.
+
+If an origin target has no snapshots, o->split_boundary is set to 0.
+This causes BUG_ON(sectors <= 0) in block/bio.c:bio_split().
+
+Fix this by initializing chunk_size, and in turn split_boundary, to
+rounddown_pow_of_two(UINT_MAX) -- the largest power of two that fits
+into "unsigned" type.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-snap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-snap.c
++++ b/drivers/md/dm-snap.c
+@@ -793,7 +793,7 @@ static int dm_add_exception(void *contex
+ static uint32_t __minimum_chunk_size(struct origin *o)
+ {
+ struct dm_snapshot *snap;
+- unsigned chunk_size = 0;
++ unsigned chunk_size = rounddown_pow_of_two(UINT_MAX);
+
+ if (o)
+ list_for_each_entry(snap, &o->snapshots, list)
projects / thirdparty / kernel / stable-queue.git / commitdiff
