From: <gregkh@linuxfoundation.org>
To: huxm@marvell.com, akarwar@marvell.com,
gregkh@linuxfoundation.org, kvalo@codeaurora.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "mwifiex: remove redundant dma padding in AMSDU" has been added to the 4.4-stable tree
Date: Tue, 09 May 2017 11:44:02 +0200 [thread overview]
Message-ID: <1494323042178151@kroah.com> (raw)
This is a note to let you know that I've just added the patch titled
mwifiex: remove redundant dma padding in AMSDU
to the 4.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
mwifiex-remove-redundant-dma-padding-in-amsdu.patch
and it can be found in the queue-4.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From 5f0a221f59ad6b72202ef9c6e232086de8c336f2 Mon Sep 17 00:00:00 2001
From: Xinming Hu <huxm@marvell.com>
Date: Wed, 11 Jan 2017 21:41:24 +0530
Subject: mwifiex: remove redundant dma padding in AMSDU
From: Xinming Hu <huxm@marvell.com>
commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream.
We already ensure 64 bytes alignment and add padding if required
during skb_aggr allocation.
Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant.
We may end up accessing more data than allocated size with this.
This patch fixes following issue by removing redundant padding.
[ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550
put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev:<NULL>
[ 370.241374] ------------[ cut here ]------------
[ 370.241382] kernel BUG at net/core/skbuff.c:104!
370.244032] Call Trace:
[ 370.244041] [<ffffffff8c3df5ec>] skb_put+0x44/0x45
[ 370.244055] [<ffffffffc046946a>]
mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex]
[ 370.244067] [<ffffffffc0467c16>] mwifiex_wmm_process_tx+0x44a/0x6b7
[mwifiex]
[ 370.244074] [<ffffffffc0411eb8>] ? 0xffffffffc0411eb8
[ 370.244084] [<ffffffffc046116b>] mwifiex_main_process+0x476/0x5a5
[mwifiex]
[ 370.244098] [<ffffffffc0461298>] mwifiex_main_process+0x5a3/0x5a5
[mwifiex]
[ 370.244113] [<ffffffff8be7e9ff>] process_one_work+0x1a4/0x309
[ 370.244123] [<ffffffff8be7f4ca>] worker_thread+0x20c/0x2ee
[ 370.244130] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
[ 370.244136] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
[ 370.244143] [<ffffffff8be83742>] kthread+0x11c/0x124
[ 370.244150] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
[ 370.244157] [<ffffffff8c4da1ef>] ret_from_fork+0x3f/0x70
[ 370.244168] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned")
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/mwifiex/11n_aggr.c | 19 +++++++------------
1 file changed, 7 insertions(+), 12 deletions(-)
--- a/drivers/net/wireless/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/mwifiex/11n_aggr.c
@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
{
struct txpd *local_tx_pd;
struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
- unsigned int pad;
- int headroom = (priv->adapter->iface_type ==
- MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
-
- pad = ((void *)skb->data - sizeof(*local_tx_pd) -
- headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
- skb_push(skb, pad);
skb_push(skb, sizeof(*local_tx_pd));
@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
local_tx_pd->bss_num = priv->bss_num;
local_tx_pd->bss_type = priv->bss_type;
/* Always zero as the data is followed by struct txpd */
- local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +
- pad);
+ local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
- sizeof(*local_tx_pd) -
- pad);
+ sizeof(*local_tx_pd));
if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex
ra_list_flags);
return -1;
}
- skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);
+
+ /* skb_aggr->data already 64 byte align, just reserve bus interface
+ * header and txpd.
+ */
+ skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);
memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));
Patches currently in stable-queue which might be from huxm@marvell.com are
queue-4.4/mwifiex-remove-redundant-dma-padding-in-amsdu.patch
reply other threads:[~2017-05-09 9:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1494323042178151@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akarwar@marvell.com \
--cc=huxm@marvell.com \
--cc=kvalo@codeaurora.org \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.