From: Gertjan van Wingerde <gwingerde@gmail.com>
To: Ismael Luceno <ismael.luceno@gmail.com>
Cc: linux-wireless <linux-wireless@vger.kernel.org>,
Ivo Van Doorn <ivdoorn@gmail.com>
Subject: Re: [PATCH v2] rt2x00: Fix panic on frame padding for rt2800 usb devices
Date: Wed, 22 Dec 2010 20:33:01 +0100 [thread overview]
Message-ID: <4D12526D.7080100@gmail.com> (raw)
In-Reply-To: <1292899311-20768-1-git-send-email-ismael.luceno@gmail.com>
On 12/21/10 03:41, Ismael Luceno wrote:
> Backtrace:
> rt2800usb_write_tx_data
> rt2x00queue_write_tx_frame
> rt2x00mac_tx
> invoke_tx_handlers
> __ieee80211_tx
> ieee80211_tx
> virt_to_head_page
> ieee80211_xmit
> ieee80211_tx_skb
> ieee80211_scan_work
> schedule
> ieee80211_scan_work
> process_one_work
> ...
>
> It tried to expand the skb past it's end using skb_put. So I replaced it
> with a call to skb_padto, which takes the issue into account.
>
> Signed-off-by: Ismael Luceno <ismael.luceno@gmail.com>
> ---
> drivers/net/wireless/rt2x00/rt2800usb.c | 16 ++++++++++++----
> 1 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c
> index 3e0205d..b97a4a5 100644
> --- a/drivers/net/wireless/rt2x00/rt2800usb.c
> +++ b/drivers/net/wireless/rt2x00/rt2800usb.c
> @@ -369,7 +369,10 @@ static void rt2800usb_write_tx_desc(struct queue_entry *entry,
> static void rt2800usb_write_tx_data(struct queue_entry *entry,
> struct txentry_desc *txdesc)
> {
> - u8 padding_len;
> + unsigned int len;
> + int err;
> +
> + rt2800_write_tx_data(entry, txdesc);
>
> /*
> * pad(1~3 bytes) is added after each 802.11 payload.
> @@ -378,9 +381,14 @@ static void rt2800usb_write_tx_data(struct queue_entry *entry,
> * | TXINFO | TXWI | 802.11 header | L2 pad | payload | pad | USB end pad |
> * |<------------- tx_pkt_len ------------->|
> */
> - rt2800_write_tx_data(entry, txdesc);
> - padding_len = roundup(entry->skb->len + 4, 4) - entry->skb->len;
> - memset(skb_put(entry->skb, padding_len), 0, padding_len);
> + len = roundup(entry->skb->len, 4) + 4;
> + err = skb_padto(entry->skb, len);
> + if (unlikely(err)) {
> + WARNING(entry->queue->rt2x00dev, "TX SKB padding error, out of memory\n");
> + return;
> + }
> +
> + entry->skb->len = len;
> }
>
> /*
Why did you change the computation of the length?
To me, looking at the original code, the correct computation should be:
len = roundup(entry->skb->len + 4, 4);
Now it seems we sometimes include padding where we don't have to (and thus
potentially have to expand the buffer when we won't have to).
---
Gertjan.
prev parent reply other threads:[~2010-12-22 19:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-21 2:41 [PATCH v2] rt2x00: Fix panic on frame padding for rt2800 usb devices Ismael Luceno
2010-12-22 19:08 ` Ivo Van Doorn
2010-12-22 19:33 ` Gertjan van Wingerde [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D12526D.7080100@gmail.com \
--to=gwingerde@gmail.com \
--cc=ismael.luceno@gmail.com \
--cc=ivdoorn@gmail.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.