bes2600: bounce SDIO TX buffers to avoid DMA OOB read

The SDIO TX path rounds the DMA transfer length up to the host's
current block size and hands that length to dma_map_sg() via
sg_set_buf(&sg[scatters], tx_buffer->buf, align) in sdio_tx_work().
tx_buffer->buf typically aliases into an skb linear head whose
allocated size matches tx_buffer->len, not the block-aligned
align. The DMA engine (swiotlb / dw_mci IDMAC) therefore reads up
to one block past the end of the skb. On a PineTab2 with KFENCE
enabled this fires as:

  BUG: KFENCE: out-of-bounds read in __pi_memcpy_generic
  Out-of-bounds read at ... (704B right of kfence-#...):
  __pi_memcpy_generic
  swiotlb_tbl_map_single
  swiotlb_map
  dma_direct_map_sg
  __dma_map_sg_attrs
  dma_map_sg_attrs
  dw_mci_pre_dma_transfer
  __dw_mci_start_request
  ...
  bes_sdio_memcpy_to_io_helper+0x18c/0x288 [bes2600]
  sdio_tx_work+0x2b4/0x4a0 [bes2600]

allocated by ... pskb_expand_head / validate_xmit_skb / tcp_*

In addition to being undefined behavior, the padding bytes (which
come from whatever memory follows the skb) are transmitted to the
peer, leaking kernel memory on the air.

Allocate a driver-owned DMA-page bounce buffer sized to
MAX_SDIO_TRANSFER_LEN and use it as the scatter-gather backing for
sdio_tx_work. Each TX buffer is copied into its bounce slot and the
tail (align - tx_buffer->len bytes) is zeroed. This mirrors the
existing bounce pattern already used by bes2600_sdio_memcpy_toio()
via single_gathered_buffer; a separate allocation is used for the
TX path because single_gathered_buffer is only serialised via
sdio_claim_host and sdio_tx_work accumulates scatter entries before
claiming the bus.

Signed-off-by: Markus Fritsche <fritsche.markus@gmail.com>

bes2600/bes2600.h

@@ -596,11 +596,6 @@ struct bes2600_vif {
         unsigned long           rx_timestamp;
         u32                     cipherType;
 
-	/* Decrypt-storm fast-recover (Trigger B). See txrx.c. */
-	unsigned long			decrypt_storm_window_start;
-	unsigned int			decrypt_storm_count;
-	unsigned int			decrypt_storm_recoveries;
-	struct work_struct		decrypt_storm_recover_work;
 
 	/* AP powersave */
 	u32			link_id_map;
@@ -861,8 +856,4 @@ int bes2600_btusb_setup_pipes(struct sbus_priv *sbus_priv);
 void bes2600_btusb_uninit(struct usb_interface *interface);
 #endif
 
-/* Decrypt-storm fast-recover helpers — see txrx.c. */
-void bes2600_decrypt_storm_init(struct bes2600_vif *priv);
-void bes2600_decrypt_storm_account(struct bes2600_vif *priv);
-
 #endif /* BES2600_H */

bes2600/bes2600_sdio.c

@@ -94,6 +94,7 @@ struct sbus_priv {
 	struct work_struct tx_work;
 	struct scatterlist tx_sg[BES_SDIO_TX_MULTIPLE_NUM + 1];
 	struct scatterlist tx_sg_nosignal[BES_SDIO_TX_MULTIPLE_NUM_NOSIGNAL + 1];
+	u8 *tx_bounce;
 	u32 tx_data_cnt;
 	u32 tx_xfer_cnt;
 	u32 tx_proc_cnt;
@@ -1135,7 +1136,26 @@ static void sdio_tx_work(struct work_struct *work)
 				}
 			}
 
-			sg_set_buf(&sg[scatters], tx_buffer->buf, align);
+			/*
+			 * The transfer length is rounded up to the SDIO block
+			 * size, but tx_buffer->buf is only tx_buffer->len bytes
+			 * long (it usually aliases into an skb linear head).
+			 * Copy into a driver-owned bounce buffer and zero-pad
+			 * to the aligned size; otherwise DMA reads past the
+			 * skb and leaks adjacent kernel memory on the wire --
+			 * observed as KFENCE OOB reads from
+			 * bes_sdio_memcpy_to_io_helper via dma_map_sg.
+			 */
+			if (WARN_ON_ONCE(total_len + align > MAX_SDIO_TRANSFER_LEN))
+				goto flush_previous;
+			memcpy(self->tx_bounce + total_len,
+			       tx_buffer->buf, tx_buffer->len);
+			if (align > tx_buffer->len)
+				memset(self->tx_bounce + total_len +
+				       tx_buffer->len, 0,
+				       align - tx_buffer->len);
+			sg_set_buf(&sg[scatters],
+				   self->tx_bounce + total_len, align);
 			total_len += align;
 			++scatters;
 /*del_node:*/
@@ -1853,6 +1873,17 @@ static int bes2600_sdio_probe(struct sdio_func *func,
 	if (!self->single_gathered_buffer)
 		return -ENOMEM;
 #endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+	self->tx_bounce = (u8 *)__get_dma_pages(GFP_KERNEL,
+					get_order(MAX_SDIO_TRANSFER_LEN));
+	if (!self->tx_bounce) {
+#ifndef SDIO_HOST_ADMA_SUPPORT
+		free_pages((unsigned long)self->single_gathered_buffer,
+			   get_order(MAX_SDIO_TRANSFER_LEN));
+#endif
+		return -ENOMEM;
+	}
+#endif
 #ifdef BES_SDIO_RXTX_TOGGLE
 	self->fw_started = false;
 #endif
@@ -1981,6 +2012,12 @@ static void bes2600_sdio_remove(struct sdio_func *func)
 		if (self->single_gathered_buffer) {
 			free_pages((unsigned long)self->single_gathered_buffer, get_order(MAX_SDIO_TRANSFER_LEN));
 		}
+#endif
+#ifdef BES_SDIO_TX_MULTIPLE_ENABLE
+		if (self->tx_bounce) {
+			free_pages((unsigned long)self->tx_bounce,
+				   get_order(MAX_SDIO_TRANSFER_LEN));
+		}
 #endif
 		kfree(self);
 	}

bes2600/debug.c

@@ -542,8 +542,6 @@ static int bes2600_status_show_priv(struct seq_file *seq, void *v)
 		priv->listening ? " (listening)" : "");
 	seq_printf(seq, "Assoc:      %s\n",
 		bes2600_debug_join_status[priv->join_status]);
-	seq_printf(seq, "DecryptStormRecoveries: %u\n",
-		   priv->decrypt_storm_recoveries);
 	if (priv->rx_filter.promiscuous)
 		seq_puts(seq,   "Filter:     promisc\n");
 	else if (priv->rx_filter.fcs)

bes2600/sta.c

@@ -448,7 +448,6 @@ void bes2600_remove_interface(struct ieee80211_hw *dev,
 	cancel_delayed_work_sync(&priv->join_timeout);
 	cancel_delayed_work_sync(&priv->set_cts_work);
 	cancel_delayed_work_sync(&priv->pending_offchanneltx_work);
-	cancel_work_sync(&priv->decrypt_storm_recover_work);
 
 	del_timer_sync(&priv->mcast_timeout);
 	/* TODO:COMBO: May be reset of these variables "delayed_link_loss and
@@ -2620,7 +2619,6 @@ int bes2600_vif_setup(struct bes2600_vif *priv)
 
 	/* Setup per vif workitems and locks */
 	spin_lock_init(&priv->vif_lock);
-	bes2600_decrypt_storm_init(priv);
 	INIT_WORK(&priv->join_work, bes2600_join_work);
 	INIT_DELAYED_WORK(&priv->join_timeout, bes2600_join_timeout);
 	INIT_WORK(&priv->unjoin_work, bes2600_unjoin_work);

bes2600/txrx.c

@@ -25,78 +25,6 @@
 
 #define BES2600_INVALID_RATE_ID (0xFF)
 
-/*
- * Decrypt-storm fast-recover (Trigger B).
- *
- * When the BES2600 firmware reports WSM_STATUS_DECRYPTFAILURE for a
- * burst of received frames (typically because the host's PTK or GTK
- * has fallen out of sync with the AP), the AP eventually concludes that
- * the STA is not authenticated and emits an unprotected deauth-reason-6
- * ("Class 2 frame received from non-authenticated station"). On the
- * deployed pinetab2 + bes2600 stack this AP-initiated deauth has been
- * observed to leave the link blackholed for up to 109 s before
- * userspace finds a different SSID/channel to recover on. (Receipts at
- * https://git.reauktion.de/marfrit/besser, notes/phase5-2026-05-06.md.)
- *
- * Recovery here pre-empts the AP: when we see THRESHOLD decrypt
- * failures within WINDOW, we ask mac80211 for a clean reassoc via
- * ieee80211_connection_loss(), which causes immediate disassociation
- * and lets userspace auto-reconnect with fresh keys.
- *
- * mac80211 contract: ieee80211_connection_loss() may be called
- * regardless of IEEE80211_HW_CONNECTION_MONITOR; it causes immediate
- * disassociation without driver-side recovery attempts. See
- * include/net/mac80211.h for the canonical doc-comment.
- *
- * The threshold is set well above the steady-state per-vif
- * decrypt-fail rate observed in measurement (~1/min even under
- * sustained 1 MB/s load), so a true storm is required to trip it.
- */
-#define BES2600_DECRYPT_STORM_THRESHOLD	5
-#define BES2600_DECRYPT_STORM_WINDOW_MS	5000
-
-static void bes2600_decrypt_storm_recover_work(struct work_struct *work)
-{
-	struct bes2600_vif *priv = container_of(work, struct bes2600_vif,
-						decrypt_storm_recover_work);
-
-	if (!priv->vif)
-		return;
-
-	bes_warn("[bes2600] decrypt-storm fast-recover: forcing reassoc\n");
-	ieee80211_connection_loss(priv->vif);
-	priv->decrypt_storm_recoveries++;
-}
-
-void bes2600_decrypt_storm_init(struct bes2600_vif *priv)
-{
-	INIT_WORK(&priv->decrypt_storm_recover_work,
-		  bes2600_decrypt_storm_recover_work);
-	priv->decrypt_storm_window_start = 0;
-	priv->decrypt_storm_count = 0;
-	priv->decrypt_storm_recoveries = 0;
-}
-
-void bes2600_decrypt_storm_account(struct bes2600_vif *priv)
-{
-	unsigned long now = jiffies;
-	unsigned long window = msecs_to_jiffies(BES2600_DECRYPT_STORM_WINDOW_MS);
-
-	if (priv->decrypt_storm_window_start == 0 ||
-	    time_after(now, priv->decrypt_storm_window_start + window)) {
-		priv->decrypt_storm_window_start = now;
-		priv->decrypt_storm_count = 1;
-		return;
-	}
-
-	if (++priv->decrypt_storm_count >= BES2600_DECRYPT_STORM_THRESHOLD) {
-		priv->decrypt_storm_count = 0;
-		/* Skew the window so we don't re-fire on the same storm. */
-		priv->decrypt_storm_window_start = now + window;
-		schedule_work(&priv->decrypt_storm_recover_work);
-	}
-}
-
 #ifdef CONFIG_BES2600_TESTMODE
 #include "bes_nl80211_testmode_msg.h"
 #endif /* CONFIG_BES2600_TESTMODE */
@@ -1744,8 +1672,6 @@ void bes2600_rx_cb(struct bes2600_vif *priv,
 			goto drop;
 		} else {
 			bes_warn("[RX] Receive failure: %d.\n", arg->status);
-			if (arg->status == WSM_STATUS_DECRYPTFAILURE)
-				bes2600_decrypt_storm_account(priv);
 			goto drop;
 		}
 	}