From: Hans de Goede <hdegoede@redhat.com>
To: Daniel Stone <daniels@collabora.com>, linux-wireless@vger.kernel.org
Cc: brcm80211-dev-list.pdl@broadcom.com,
brcm80211-dev-list@cypress.com,
Arend Van Spriel <arend.vanspriel@broadcom.com>,
James Hughes <james.hughes@raspberrypi.org>,
Hante Meuleman <hante.meuleman@broadcom.com>,
Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>,
Franky Lin <franky.lin@broadcom.com>
Subject: Re: [for-v4.13,V4] brcmfmac: Don't grow SKB by negative size
Date: Wed, 26 Jul 2017 23:59:39 +0200 [thread overview]
Message-ID: <8ae43770-e29f-e46c-034d-7bdee73009ea@redhat.com> (raw)
In-Reply-To: <20170726112410.22353-1-daniels@collabora.com>
Hi,
On 26-07-17 13:24, Daniel Stone wrote:
> The commit to rework the headroom check in start_xmit() now calls
> pxskb_expand_head() unconditionally if the header is CoW. Unfortunately,
> it does so with the delta between the extant headroom and the header
> length, which may be negative if there is already sufficient headroom.
>
> pskb_expand_head() does allow for size being 0, in which case it just
> copies, so clamp the header delta to zero.
>
> Opening Chrome (and all my tabs) on a PCIE device was enough to reliably
> hit this.
>
> Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()")
> Signed-off-by: Daniel Stone <daniels@collabora.com>
> Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
> Cc: James Hughes <james.hughes@raspberrypi.org>
> Cc: Hante Meuleman <hante.meuleman@broadcom.com>
> Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
> Cc: Franky Lin <franky.lin@broadcom.com>
> ---
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> v2: Correct thinko.
> v3: Bring assignment on to one line.
> v4: Use max_t rather than max.
I can confirm that this fixes a brcmfmac kernel panic for me:
Tested-by: Hans de Goede <hdegoede@redhat.com>
Regards,
Hans
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> index 2153e8062b4c..5cc3a07dda9e 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
> @@ -214,7 +214,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
>
> /* Make sure there's enough writeable headroom */
> if (skb_headroom(skb) < drvr->hdrlen || skb_header_cloned(skb)) {
> - head_delta = drvr->hdrlen - skb_headroom(skb);
> + head_delta = max_t(int, drvr->hdrlen - skb_headroom(skb), 0);
>
> brcmf_dbg(INFO, "%s: insufficient headroom (%d)\n",
> brcmf_ifname(ifp), head_delta);
>
next prev parent reply other threads:[~2017-07-26 21:59 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-26 8:49 [PATCH v2] brcmfmac: Don't grow SKB by negative size Daniel Stone
2017-07-26 9:32 ` Arend van Spriel
2017-07-26 11:03 ` [PATCH for-4.13 V3] " Daniel Stone
2017-07-26 11:15 ` Arend van Spriel
2017-07-26 11:24 ` [PATCH for-v4.13 V4] " Daniel Stone
2017-07-26 21:59 ` Hans de Goede [this message]
2017-07-27 6:15 ` Kalle Valo
2017-07-27 11:03 ` [for-v4.13,V4] " Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8ae43770-e29f-e46c-034d-7bdee73009ea@redhat.com \
--to=hdegoede@redhat.com \
--cc=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brcm80211-dev-list@cypress.com \
--cc=daniels@collabora.com \
--cc=franky.lin@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=james.hughes@raspberrypi.org \
--cc=linux-wireless@vger.kernel.org \
--cc=pieter-paul.giesberts@broadcom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).