CVE-2023-52611

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw88: sdio: Honor the host max_req_size in the RX path<br /> <br /> Lukas reports skb_over_panic errors on his Banana Pi BPI-CM4 which comes<br /> with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth<br /> combo card. The error he observed is identical to what has been fixed<br /> in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RX_REQUEST<br /> bit in rtw_sdio_rx_isr()") but that commit didn&amp;#39;t fix Lukas&amp;#39; problem.<br /> <br /> Lukas found that disabling or limiting RX aggregation works around the<br /> problem for some time (but does not fully fix it). In the following<br /> discussion a few key topics have been discussed which have an impact on<br /> this problem:<br /> - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller<br /> which prevents DMA transfers. Instead all transfers need to go through<br /> the controller SRAM which limits transfers to 1536 bytes<br /> - rtw88 chips don&amp;#39;t split incoming (RX) packets, so if a big packet is<br /> received this is forwarded to the host in it&amp;#39;s original form<br /> - rtw88 chips can do RX aggregation, meaning more multiple incoming<br /> packets can be pulled by the host from the card with one MMC/SDIO<br /> transfer. This Depends on settings in the REG_RXDMA_AGG_PG_TH<br /> register (BIT_RXDMA_AGG_PG_TH limits the number of packets that will<br /> be aggregated, BIT_DMA_AGG_TO_V1 configures a timeout for aggregation<br /> and BIT_EN_PRE_CALC makes the chip honor the limits more effectively)<br /> <br /> Use multiple consecutive reads in rtw_sdio_read_port() and limit the<br /> number of bytes which are copied by the host from the card in one<br /> MMC/SDIO transfer. This allows receiving a buffer that&amp;#39;s larger than<br /> the hosts max_req_size (number of bytes which can be transferred in<br /> one MMC/SDIO transfer). As a result of this the skb_over_panic error<br /> is gone as the rtw88 driver is now able to receive more than 1536 bytes<br /> from the card (either because the incoming packet is larger than that<br /> or because multiple packets have been aggregated).<br /> <br /> In case of an receive errors (-EILSEQ has been observed by Lukas) we<br /> need to drain the remaining data from the card&amp;#39;s buffer, otherwise the<br /> card will return corrupt data for the next rtw_sdio_read_port() call.