Re: Problem with "mac80211: free up 2 bytes in skb->cb"

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: Problem with "mac80211: free up 2 bytes in skb->cb"
       [not found] <48F416A3.3060205@blacksapphire.com>
@ 2008-10-14 13:19 ` Johannes Berg
  2008-10-14 21:57   ` [PATCH] mac80211 fix regression introduced by " Felix Fietkau
  0 siblings, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2008-10-14 13:19 UTC (permalink / raw)
  To: Stephen Blackheath [to Rt2400-devel]
  Cc: Felix Fietkau, John W. Linville, Ben Martel, linux-wireless

[-- Attachment #1: Type: text/plain, Size: 852 bytes --]

On Tue, 2008-10-14 at 16:48 +1300, Stephen Blackheath [to Rt2400-devel]
wrote:
> Felix & John,
> 
> This patch definitely breaks wifi on the rt73usb.
> 
> The symptom is that all connection negotiation works, rx works, but 
> transmitted packets are garbage and are not received at the remote end. 
>   Tested in AP mode using hostapd and WPA encryption.  Also observed in 
> managed mode with WEP encryption, but in this case, it wasn't 100% 
> confirmed to be your patch.
> 
> The problem goes away completely with this option:
> 
> modprobe rt73usb nohwcrypt=1
> 
> ...which disables hardware encryption.
> 
> I don't know the exact reason, and I perhaps the bug is in rt73usb.

Yeah, the hw_key pointer is used (and obviously NULL) after skb->cb is
memset to 0, that is a bug in that patch, Felix will post a fix.

johannes

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] mac80211 fix regression introduced by "mac80211: free up 2 bytes in skb->cb"
  2008-10-14 13:19 ` Problem with "mac80211: free up 2 bytes in skb->cb" Johannes Berg
@ 2008-10-14 21:57   ` Felix Fietkau
  2008-10-14 22:00     ` Johannes Berg
  0 siblings, 1 reply; 4+ messages in thread
From: Felix Fietkau @ 2008-10-14 21:57 UTC (permalink / raw)
  To: Johannes Berg
  Cc: Stephen Blackheath, John W. Linville, Ben Martel, linux-wireless

The hw_key pointer is used (and obviously NULL) after skb->cb is
memset to 0. This patch grabs the iv_len before the memset call.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>

diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
index 1676ac4..451d410 100644
--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
@@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
 	struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
 	struct txentry_desc txdesc;
 	struct skb_frame_desc *skbdesc;
-	unsigned int iv_len;
+	unsigned int iv_len = 0;
 
 	if (unlikely(rt2x00queue_full(queue)))
 		return -EINVAL;
@@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
 	entry->skb = skb;
 	rt2x00queue_create_tx_descriptor(entry, &txdesc);
 
+	if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
+		iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
+
 	/*
 	 * All information is retreived from the skb->cb array,
 	 * now we should claim ownership of the driver part of that
@@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
 	 * the frame so we can provide it to the driver seperately.
 	 */
 	if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
-	    !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) &&
-		(IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
-		iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
+	    !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
 		rt2x00crypto_tx_remove_iv(skb, iv_len);
 	}
 

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] mac80211 fix regression introduced by "mac80211: free up 2 bytes in skb->cb"
  2008-10-14 21:57   ` [PATCH] mac80211 fix regression introduced by " Felix Fietkau
@ 2008-10-14 22:00     ` Johannes Berg
  2008-10-14 22:05       ` Felix Fietkau
  0 siblings, 1 reply; 4+ messages in thread
From: Johannes Berg @ 2008-10-14 22:00 UTC (permalink / raw)
  To: Felix Fietkau
  Cc: Stephen Blackheath, John W. Linville, Ben Martel, linux-wireless

[-- Attachment #1: Type: text/plain, Size: 2025 bytes --]

On Tue, 2008-10-14 at 23:57 +0200, Felix Fietkau wrote:
> The hw_key pointer is used (and obviously NULL) after skb->cb is
> memset to 0. This patch grabs the iv_len before the memset call.
> 
> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
> Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>

Subject should be "rt2x00: " instead of "mac80211 ", but

Acked-by: Johannes Berg <johannes@sipsolutions.net>

> 
> diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
> index 1676ac4..451d410 100644
> --- a/drivers/net/wireless/rt2x00/rt2x00queue.c
> +++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
> @@ -374,7 +374,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
>  	struct queue_entry *entry = rt2x00queue_get_entry(queue, Q_INDEX);
>  	struct txentry_desc txdesc;
>  	struct skb_frame_desc *skbdesc;
> -	unsigned int iv_len;
> +	unsigned int iv_len = 0;
>  
>  	if (unlikely(rt2x00queue_full(queue)))
>  		return -EINVAL;
> @@ -395,6 +395,9 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
>  	entry->skb = skb;
>  	rt2x00queue_create_tx_descriptor(entry, &txdesc);
>  
> +	if (IEEE80211_SKB_CB(skb)->control.hw_key != NULL)
> +		iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
> +
>  	/*
>  	 * All information is retreived from the skb->cb array,
>  	 * now we should claim ownership of the driver part of that
> @@ -410,9 +413,7 @@ int rt2x00queue_write_tx_frame(struct data_queue *queue, struct sk_buff *skb)
>  	 * the frame so we can provide it to the driver seperately.
>  	 */
>  	if (test_bit(ENTRY_TXD_ENCRYPT, &txdesc.flags) &&
> -	    !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags) &&
> -		(IEEE80211_SKB_CB(skb)->control.hw_key != NULL)) {
> -		iv_len = IEEE80211_SKB_CB(skb)->control.hw_key->iv_len;
> +	    !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc.flags)) {
>  		rt2x00crypto_tx_remove_iv(skb, iv_len);
>  	}
>  
> 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] mac80211 fix regression introduced by "mac80211: free up 2 bytes in skb->cb"
  2008-10-14 22:00     ` Johannes Berg
@ 2008-10-14 22:05       ` Felix Fietkau
  0 siblings, 0 replies; 4+ messages in thread
From: Felix Fietkau @ 2008-10-14 22:05 UTC (permalink / raw)
  To: Johannes Berg
  Cc: Stephen Blackheath, John W. Linville, Ben Martel, linux-wireless

Johannes Berg wrote:
> On Tue, 2008-10-14 at 23:57 +0200, Felix Fietkau wrote:
>> The hw_key pointer is used (and obviously NULL) after skb->cb is
>> memset to 0. This patch grabs the iv_len before the memset call.
>> 
>> Signed-off-by: Felix Fietkau <nbd@openwrt.org>
>> Signed-off-by: Stephen Blackheath <tramp.enshrine.stephen@blacksapphire.com>
> 
> Subject should be "rt2x00: " instead of "mac80211 ", but
> 
> Acked-by: Johannes Berg <johannes@sipsolutions.net>
Yeah, sorry about that. 
John: please fix that up when merging ;)

- Felix

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-10-14 22:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <48F416A3.3060205@blacksapphire.com>
2008-10-14 13:19 ` Problem with "mac80211: free up 2 bytes in skb->cb" Johannes Berg
2008-10-14 21:57   ` [PATCH] mac80211 fix regression introduced by " Felix Fietkau
2008-10-14 22:00     ` Johannes Berg
2008-10-14 22:05       ` Felix Fietkau

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).