From: Ivo van Doorn <ivdoorn@gmail.com>
To: "John W. Linville" <linville@tuxdriver.com>
Cc: linux-wireless@vger.kernel.org, rt2400-devel@lists.sourceforge.net
Subject: [PATCH 06/10] rt2x00: Fix double usage of skb->cb in USB RX path.
Date: Sun, 8 Jun 2008 23:45:25 +0200 [thread overview]
Message-ID: <200806082345.25904.IvDoorn@gmail.com> (raw)
In-Reply-To: <200806082345.04002.IvDoorn@gmail.com>
From: Gertjan van Wingerde <gwingerde@kpnplanet.nl>
It is not safe to use the skb->cb area for both the rxd and skb_frame_desc data at the
same time, while they occupy an overlapping piece of memory. This can lead to hard to
trace crashes as pointers within skb_frame_desc are pointing into nowhere, or the rxd
data is overwritten with non-sense.
Fix it by copying the rxd to a small buffer on the stack.
Signed-off-by: Gertjan van Wingerde <gwingerde@kpnplanet.nl>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
---
drivers/net/wireless/rt2x00/rt2500usb.c | 10 +++-------
drivers/net/wireless/rt2x00/rt2x00usb.c | 8 +++-----
drivers/net/wireless/rt2x00/rt73usb.c | 10 +++-------
3 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c
index 1bfb68a..9851cef 100644
--- a/drivers/net/wireless/rt2x00/rt2500usb.c
+++ b/drivers/net/wireless/rt2x00/rt2500usb.c
@@ -1156,14 +1156,10 @@ static void rt2500usb_fill_rxdone(struct queue_entry *entry,
u32 word1;
/*
- * Copy descriptor to the skb->cb array, this has 2 benefits:
- * 1) Each descriptor word is 4 byte aligned.
- * 2) Descriptor is safe from moving of frame data in rt2x00usb.
+ * Copy descriptor to the skbdesc->desc buffer, making it safe from moving of
+ * frame data in rt2x00usb.
*/
- skbdesc->desc_len =
- min_t(u16, entry->queue->desc_size, sizeof(entry->skb->cb));
- memcpy(entry->skb->cb, rxd, skbdesc->desc_len);
- skbdesc->desc = entry->skb->cb;
+ memcpy(skbdesc->desc, rxd, skbdesc->desc_len);
rxd = (__le32 *)skbdesc->desc;
/*
diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.c b/drivers/net/wireless/rt2x00/rt2x00usb.c
index 6e22036..3080969 100644
--- a/drivers/net/wireless/rt2x00/rt2x00usb.c
+++ b/drivers/net/wireless/rt2x00/rt2x00usb.c
@@ -267,6 +267,7 @@ static void rt2x00usb_interrupt_rxdone(struct urb *urb)
struct sk_buff *skb;
struct skb_frame_desc *skbdesc;
struct rxdone_entry_desc rxdesc;
+ u8 rxd[32];
if (!test_bit(DEVICE_ENABLED_RADIO, &rt2x00dev->flags) ||
!test_and_clear_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags))
@@ -286,16 +287,13 @@ static void rt2x00usb_interrupt_rxdone(struct urb *urb)
skbdesc = get_skb_frame_desc(entry->skb);
memset(skbdesc, 0, sizeof(*skbdesc));
skbdesc->entry = entry;
+ skbdesc->desc = rxd;
+ skbdesc->desc_len = entry->queue->desc_size;
memset(&rxdesc, 0, sizeof(rxdesc));
rt2x00dev->ops->lib->fill_rxdone(entry, &rxdesc);
/*
- * Trim the skb to the correct size.
- */
- skb_trim(entry->skb, rxdesc.size);
-
- /*
* Allocate a new sk buffer to replace the current one.
* If allocation fails, we should drop the current frame
* so we can recycle the existing sk buffer for the new frame.
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 800a1e2..505a9f5 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -1428,14 +1428,10 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry,
u32 word1;
/*
- * Copy descriptor to the skb->cb array, this has 2 benefits:
- * 1) Each descriptor word is 4 byte aligned.
- * 2) Descriptor is safe from moving of frame data in rt2x00usb.
+ * Copy descriptor to the skbdesc->desc buffer, making it safe from moving of
+ * frame data in rt2x00usb.
*/
- skbdesc->desc_len =
- min_t(u16, entry->queue->desc_size, sizeof(entry->skb->cb));
- memcpy(entry->skb->cb, rxd, skbdesc->desc_len);
- skbdesc->desc = entry->skb->cb;
+ memcpy(skbdesc->desc, rxd, skbdesc->desc_len);
rxd = (__le32 *)skbdesc->desc;
/*
--
1.5.5.3
next prev parent reply other threads:[~2008-06-08 21:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-08 21:41 Please pull 'upstream' branch of rt2x00 Ivo van Doorn
2008-06-08 21:42 ` [PATCH 01/10] rt2x00: Implement rt2x00usb_kick_tx_queue() Ivo van Doorn
2008-06-08 21:43 ` [PATCH 02/10] rt2x00: Move generic TX frame writing code into rt2x00queue Ivo van Doorn
2008-06-08 21:43 ` [PATCH 03/10] rt2x00: Don't kick TX queue after each frame Ivo van Doorn
2008-06-08 21:44 ` [PATCH 04/10] rt2x00: Cleanup struct skb_frame_desc Ivo van Doorn
2008-06-08 21:45 ` [PATCH 05/10] rt2x00: Centralize RX packet alignment handling in rt2x00lib Ivo van Doorn
2008-06-08 21:45 ` Ivo van Doorn [this message]
2008-06-08 21:45 ` [PATCH 07/10] rt2x00: Use __builtin_choose_expr() instead of ?: Ivo van Doorn
2008-06-08 21:46 ` [PATCH 08/10] rt2x00: Clear IEEE80211_TX_CTL_USE_RTS_CTS flag for RTS frame Ivo van Doorn
2008-06-08 21:46 ` [PATCH 09/10] rt2x00: Remove unused defines Ivo van Doorn
2008-06-08 21:46 ` [PATCH 10/10] rt2x00: Rework alignment check Ivo van Doorn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200806082345.25904.IvDoorn@gmail.com \
--to=ivdoorn@gmail.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=rt2400-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.