CVE-2023-53315

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath11k: Fix SKB corruption in REO destination ring<br /> <br /> While running traffics for a long time, randomly an RX descriptor<br /> filled with value "0" from REO destination ring is received.<br /> This descriptor which is invalid causes the wrong SKB (SKB stored in<br /> the IDR lookup with buffer id "0") to be fetched which in turn<br /> causes SKB memory corruption issue and the same leads to crash<br /> after some time.<br /> <br /> Changed the start id for idr allocation to "1" and the buffer id "0"<br /> is reserved for error validation. Introduced Sanity check to validate<br /> the descriptor, before processing the SKB.<br /> <br /> Crash Signature :<br /> <br /> Unable to handle kernel paging request at virtual address 3f004900<br /> PC points to "b15_dma_inv_range+0x30/0x50"<br /> LR points to "dma_cache_maint_page+0x8c/0x128".<br /> The Backtrace obtained is as follows:<br /> [] (b15_dma_inv_range) from [] (dma_cache_maint_page+0x8c/0x128)<br /> [] (dma_cache_maint_page) from [] (__dma_page_dev_to_cpu+0x28/0xcc)<br /> [] (__dma_page_dev_to_cpu) from [] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])<br /> [] (ath11k_dp_process_rx [ath11k]) from [] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])<br /> [] (ath11k_dp_service_srng [ath11k]) from [] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])<br /> [] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [] (__napi_poll+0x28/0xb8)<br /> [] (__napi_poll) from [] (net_rx_action+0xf0/0x280)<br /> [] (net_rx_action) from [] (__do_softirq+0xd0/0x280)<br /> [] (__do_softirq) from [] (irq_exit+0x74/0xd4)<br /> [] (irq_exit) from [] (__handle_domain_irq+0x90/0xb4)<br /> [] (__handle_domain_irq) from [] (gic_handle_irq+0x58/0x90)<br /> [] (gic_handle_irq) from [] (__irq_svc+0x58/0x8c)<br /> <br /> Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1