CVE-2023-52611

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: sdio: Honor the host maxreqsize in the RX path

Lukas reports skboverpanic errors on his Banana Pi BPI-CM4 which comes with an Amlogic A311D (G12B) SoC and a RTL8822CS SDIO wifi/Bluetooth combo card. The error he observed is identical to what has been fixed in commit e967229ead0e ("wifi: rtw88: sdio: Check the HISR RXREQUEST bit in rtwsdiorxisr()") but that commit didn't fix Lukas' problem.

Lukas found that disabling or limiting RX aggregation works around the problem for some time (but does not fully fix it). In the following discussion a few key topics have been discussed which have an impact on this problem: - The Amlogic A311D (G12B) SoC has a hardware bug in the SDIO controller which prevents DMA transfers. Instead all transfers need to go through the controller SRAM which limits transfers to 1536 bytes - rtw88 chips don't split incoming (RX) packets, so if a big packet is received this is forwarded to the host in it's original form - rtw88 chips can do RX aggregation, meaning more multiple incoming packets can be pulled by the host from the card with one MMC/SDIO transfer. This Depends on settings in the REGRXDMAAGGPGTH register (BITRXDMAAGGPGTH limits the number of packets that will be aggregated, BITDMAAGGTOV1 configures a timeout for aggregation and BITENPRE_CALC makes the chip honor the limits more effectively)

Use multiple consecutive reads in rtwsdioreadport() and limit the number of bytes which are copied by the host from the card in one MMC/SDIO transfer. This allows receiving a buffer that's larger than the hosts maxreqsize (number of bytes which can be transferred in one MMC/SDIO transfer). As a result of this the skbover_panic error is gone as the rtw88 driver is now able to receive more than 1536 bytes from the card (either because the incoming packet is larger than that or because multiple packets have been aggregated).

In case of an receive errors (-EILSEQ has been observed by Lukas) we need to drain the remaining data from the card's buffer, otherwise the card will return corrupt data for the next rtwsdioread_port() call.