From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6FA1CC5AD49 for ; Wed, 4 Jun 2025 02:39:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=0OZNEtjGlJhCRwS7YBhsPGzw69kJNouDj+PQAd4AbEs=; b=RmPxpsruS01wFhdKCWX9wD09dk P1wQkCWX7R5WvCKgb3lahnIyvKX1WYnsjCew1bJNZKDoztfXopX73mYpi5+RBZv5+wodxtAu6yokh iVATBIy62WT1DoOHDQhpfxaCXZbo1p31tuNJAUu8d0uwZD8+UHs61qpt3Wr9RGjrZU53/7EWi3Sce LstnWQ0UbALdgiwp1aFZB7qP6z6TQwpz1FeZLyztOJ3qpI0ml6/QmAQ4i9TIBapGHNlD1+EZ7FebK mQUkDxW2W9DloX8E+JXV/yq0XscCdTjbd1ImuW3g+HjuGAsHDLXpyzVo3YxGuDhUdEPtpbdN6ABCv ZHVqaNUA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMe2E-0000000CL8z-0nIG; Wed, 04 Jun 2025 02:39:22 +0000 Received: from dfw.source.kernel.org ([139.178.84.217]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMcWl-0000000C8P6-04LT for ath12k@lists.infradead.org; Wed, 04 Jun 2025 01:02:48 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 9300B5C058A; Wed, 4 Jun 2025 01:00:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 15A60C4CEF1; Wed, 4 Jun 2025 01:02:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1748998966; bh=SfPgkoIS4UQnwwME5BGk1QU1dI1VUviuDmJU8KBvr+Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AFnowmfgc/WGKkwMO6oSb10Zj3r6cPgn8TcxXWMzJ8CTrKT/Et8uJPBC9A1scRVVM 1hMTMSMxDosCBR7BY+/KhXwtFUJpb+tNPo/9DO4Whfq/2Q7IN/0U8G4bSGdhHfUMmw bxJUSXIqNctDfTgq6/xwF1p3D6LOGVix8SRO2zByr8LAoDwbh3ZKmZtnDs646OqiD9 v8Ogm0YSeOwGZ4TEssHO5h/FP7F3cFAuyK7ey0M9+scC76mL+7Vb85oT4SqS5Fg7yf i07w+SiVkhYBL6i/QZ/rNPDsFyyg+nY7NmKwgdQoz5sGCkw3P3MmWCT/kafwHwY699 XWACO2YDlQFHw== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Kang Yang , Vasanthakumar Thiagarajan , Jeff Johnson , Sasha Levin , jjohnson@kernel.org, linux-wireless@vger.kernel.org, ath12k@lists.infradead.org Subject: [PATCH AUTOSEL 6.6 16/62] wifi: ath12k: fix macro definition HAL_RX_MSDU_PKT_LENGTH_GET Date: Tue, 3 Jun 2025 21:01:27 -0400 Message-Id: <20250604010213.3462-16-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250604010213.3462-1-sashal@kernel.org> References: <20250604010213.3462-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.92 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250603_180247_142236_5B02A428 X-CRM114-Status: GOOD ( 13.84 ) X-BeenThere: ath12k@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "ath12k" Errors-To: ath12k-bounces+ath12k=archiver.kernel.org@lists.infradead.org From: Kang Yang [ Upstream commit a69bbf89d751ba2d6da21d773c4e29c91c5e53c4 ] Currently, HAL_RX_MSDU_PKT_LENGTH_GET uses u32_get_bits to obtain the MSDU length from the MSDU description. This is not right. Because all halphy descriptions are little endian. So use le32_get_bits for HAL_RX_MSDU_PKT_LENGTH_GET. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Signed-off-by: Kang Yang Reviewed-by: Vasanthakumar Thiagarajan Link: https://patch.msgid.link/20250421023444.1778-9-kang.yang@oss.qualcomm.com Signed-off-by: Jeff Johnson Signed-off-by: Sasha Levin --- **YES** This commit should be backported to stable kernel trees as it fixes a critical endianness bug that can cause data corruption and system crashes. ## Analysis ### Nature of the Bug This is a **critical endianness bug fix**, not a feature enhancement. The commit changes `HAL_RX_MSDU_PKT_LENGTH_GET` from using `u32_get_bits` to `le32_get_bits`. The issue is that the underlying data structure `rx_msdu_desc` has `info0` declared as `__le32` (little-endian), but the macro was treating it as native-endian. ### Critical Impact Areas **1. Memory Safety & Data Corruption:** - The macro extracts MSDU (MAC Service Data Unit) packet lengths from hardware descriptors - On big- endian systems, `u32_get_bits` vs `le32_get_bits` would extract completely wrong values - These incorrect lengths are used for buffer bounds checking and memory allocation operations - This could lead to buffer overflows, memory corruption, or kernel crashes **2. Cross- Architecture Compatibility:** - This bug would manifest on big-endian architectures (ARM BE, MIPS BE, PowerPC) - x86/x86_64 systems wouldn't notice the bug due to little-endian architecture - The ath12k driver supports multiple hardware variants that require correct endian handling **3. Hardware Descriptor Consistency:** - Analysis shows the ath12k driver predominantly uses `le32_get_bits` (287 instances vs 242 `u32_get_bits`) - All hardware-specific MSDU length extraction consistently uses little-endian operations - The `struct rx_msdu_desc` explicitly marks `info0` as `__le32`, confirming hardware uses little- endian format ### Comparison with Similar Commits All the reference commits marked "NO" were either: - Feature additions (A-MSDU indication improvements) - Structural definition updates - Hardware descriptor format corrections This commit differs fundamentally - it's fixing actual data corruption that could cause crashes. ### Backporting Justification - **Fixes user-affecting bug**: System crashes and data corruption on big-endian systems - **Small and contained**: Single line change with clear, targeted fix - **No architectural changes**: Only corrects endianness handling - **Minimal regression risk**: Aligns code with actual hardware behavior - **Critical subsystem**: Network packet processing is core functionality This endianness bug represents exactly the type of critical, low-risk fix that stable trees are designed to address. drivers/net/wireless/ath/ath12k/hal_desc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath12k/hal_desc.h b/drivers/net/wireless/ath/ath12k/hal_desc.h index 6c17adc6d60b5..53d66c75344af 100644 --- a/drivers/net/wireless/ath/ath12k/hal_desc.h +++ b/drivers/net/wireless/ath/ath12k/hal_desc.h @@ -683,7 +683,7 @@ enum hal_rx_msdu_desc_reo_dest_ind { #define RX_MSDU_DESC_INFO0_DECAP_FORMAT GENMASK(30, 29) #define HAL_RX_MSDU_PKT_LENGTH_GET(val) \ - (u32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH)) + (le32_get_bits((val), RX_MSDU_DESC_INFO0_MSDU_LENGTH)) struct rx_msdu_desc { __le32 info0; -- 2.39.5