[PATCH] ath6kl: fix TCP corruption

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ath6kl: fix TCP corruption
@ 2011-09-27  8:00 Kalle Valo
  2011-09-27 18:28 ` Kalle Valo
  0 siblings, 1 reply; 2+ messages in thread
From: Kalle Valo @ 2011-09-27  8:00 UTC (permalink / raw)
  To: linux-wireless

From: Jouni Malinen <jouni@qca.qualcomm.com>

Commit 94e532d1a ("ath6kl: Fix system freeze under heavy data load")
aligns the skb data without checking if the skb is cloned. Because of
this ath6kl can corrupt the local TCP stack information that can result
in TCP retransmission failing and TCP connections stalling.

To avoid the corruption we need to copy the skb. Now the alignment
in ath6kl_htc_tx_buf_align() doesn't corrupt TCP packets anymore (and is
not even used for the cloned skb's that got copied since the alignment
of the data is handled at the copy time).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
---
 drivers/net/wireless/ath/ath6kl/txrx.c |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index 348c646..0869ff3 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -317,6 +317,24 @@ int ath6kl_data_tx(struct sk_buff *skb, struct net_device *dev)
 
 	spin_unlock_bh(&ar->lock);
 
+	if (!IS_ALIGNED((unsigned long) skb->data - HTC_HDR_LENGTH, 4) &&
+	    skb_cloned(skb)) {
+		/*
+		 * We will touch (move the buffer data to align it. Since the
+		 * skb buffer is cloned and not only the header is changed, we
+		 * have to copy it to allow the changes. Since we are copying
+		 * the data here, we may as well align it by reserving suitable
+		 * headroom to avoid the memmove in ath6kl_htc_tx_buf_align().
+		 */
+		struct sk_buff *nskb;
+
+		nskb = skb_copy_expand(skb, HTC_HDR_LENGTH, 0, GFP_ATOMIC);
+		if (nskb == NULL)
+			goto fail_tx;
+		kfree_skb(skb);
+		skb = nskb;
+	}
+
 	cookie->skb = skb;
 	cookie->map_no = map_no;
 	set_htc_pkt_info(&cookie->htc_pkt, cookie, skb->data, skb->len,


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ath6kl: fix TCP corruption
  2011-09-27  8:00 [PATCH] ath6kl: fix TCP corruption Kalle Valo
@ 2011-09-27 18:28 ` Kalle Valo
  0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2011-09-27 18:28 UTC (permalink / raw)
  To: Kalle Valo; +Cc: linux-wireless

On 09/27/2011 11:00 AM, Kalle Valo wrote:
> From: Jouni Malinen <jouni@qca.qualcomm.com>
> 
> Commit 94e532d1a ("ath6kl: Fix system freeze under heavy data load")
> aligns the skb data without checking if the skb is cloned. Because of
> this ath6kl can corrupt the local TCP stack information that can result
> in TCP retransmission failing and TCP connections stalling.
> 
> To avoid the corruption we need to copy the skb. Now the alignment
> in ath6kl_htc_tx_buf_align() doesn't corrupt TCP packets anymore (and is
> not even used for the cloned skb's that got copied since the alignment
> of the data is handled at the copy time).

Applied.

Kalle

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-09-27 18:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-27  8:00 [PATCH] ath6kl: fix TCP corruption Kalle Valo
2011-09-27 18:28 ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).