commit 9a3f45116f5e08819136cd512fd7f6450ac22aa8 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

b43: Fix DMA TX bounce buffer copying

b43 allocates a bouncebuffer, if the supplied TX skb is in an invalid
memory range for DMA.
However, this is broken in that it fails to copy over some metadata to the
new skb.

This patch fixes three problems:
* Failure to adjust the ieee80211_tx_info pointer to the new buffer.
This results in a kmemcheck warning.
* Failure to copy the skb cb, which contains ieee80211_tx_info, to the new skb.
This results in breakage of various TX-status postprocessing (Rate control).
* Failure to transfer the queue mapping.
This results in the wrong queue being stopped on saturation and can result in queue overflow.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Tested-by: Christian Casteyde <casteyde.christian@free.fr>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

authored by Michael Buesch and committed by John W. Linville 16 years ago 9a3f4511 f446d10f

+13 -2

1 changed file

expand all

unified split

drivers

net

wireless

b43

dma.c

+13 -2

drivers/net/wireless/b43/dma.c

··· 1157 1157 } 1158 1158 1159 1159 static int dma_tx_fragment(struct b43_dmaring *ring, 1160 - struct sk_buff *skb) 1160 + struct sk_buff **in_skb) 1161 1161 { 1162 + struct sk_buff *skb = *in_skb; 1162 1163 const struct b43_dma_ops *ops = ring->ops; 1163 1164 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 1164 1165 u8 *header; ··· 1225 1224 } 1226 1225 1227 1226 memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len); 1227 + memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb)); 1228 + bounce_skb->dev = skb->dev; 1229 + skb_set_queue_mapping(bounce_skb, skb_get_queue_mapping(skb)); 1230 + info = IEEE80211_SKB_CB(bounce_skb); 1231 + 1228 1232 dev_kfree_skb_any(skb); 1229 1233 skb = bounce_skb; 1234 + *in_skb = bounce_skb; 1230 1235 meta->skb = skb; 1231 1236 meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1); 1232 1237 if (b43_dma_mapping_error(ring, meta->dmaaddr, skb->len, 1)) { ··· 1362 1355 * static, so we don't need to store it per frame. */ 1363 1356 ring->queue_prio = skb_get_queue_mapping(skb); 1364 1357 1365 - err = dma_tx_fragment(ring, skb); 1358 + /* dma_tx_fragment might reallocate the skb, so invalidate pointers pointing 1359 + * into the skb data or cb now. */ 1360 + hdr = NULL; 1361 + info = NULL; 1362 + err = dma_tx_fragment(ring, &skb); 1366 1363 if (unlikely(err == -ENOKEY)) { 1367 1364 /* Drop this packet, as we don't have the encryption key 1368 1365 * anymore and must not transmit it unencrypted. */