mwifiex: remove redundant dma padding in AMSDU

commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream. We already ensure 64 bytes alignment and add padding if required during skb_aggr allocation. Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant. We may end up accessing more data than allocated size with this. This patch fixes following issue by removing redundant padding. [ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550 put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev:<NULL> [ 370.241374] ------------[ cut here ]------------ [ 370.241382] kernel BUG at net/core/skbuff.c:104! 370.244032] Call Trace: [ 370.244041] [<ffffffff8c3df5ec>] skb_put+0x44/0x45 [ 370.244055] [<ffffffffc046946a>] mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex] [ 370.244067] [<ffffffffc0467c16>] mwifiex_wmm_process_tx+0x44a/0x6b7 [mwifiex] [ 370.244074] [<ffffffffc0411eb8>] ? 0xffffffffc0411eb8 [ 370.244084] [<ffffffffc046116b>] mwifiex_main_process+0x476/0x5a5 [mwifiex] [ 370.244098] [<ffffffffc0461298>] mwifiex_main_process+0x5a3/0x5a5 [mwifiex] [ 370.244113] [<ffffffff8be7e9ff>] process_one_work+0x1a4/0x309 [ 370.244123] [<ffffffff8be7f4ca>] worker_thread+0x20c/0x2ee [ 370.244130] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383 [ 370.244136] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383 [ 370.244143] [<ffffffff8be83742>] kthread+0x11c/0x124 [ 370.244150] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24 [ 370.244157] [<ffffffff8c4da1ef>] ret_from_fork+0x3f/0x70 [ 370.244168] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24 Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned") Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Xinming Hu <huxm@marvell.com> 2017-01-11 11:11:24 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-05-14 08:00:15 -0400
commit: dcdeaa74334299fd98c29703aa82deec3ae6b37a (patch)
tree: ea1db89593dba7604f540f0f6fa8465abba9db6c
parent: 525fda9221a8f78d214e42a6e18d1fd13d73dc11 (diff)
1 files changed, 7 insertions, 12 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index c47d6366875d..a75013ac84d7 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifiex_private *priv,
 {
        struct txpd *local_tx_pd;
        struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
-        unsigned int pad;
-        int headroom = (priv->adapter->iface_type ==
-                        MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
-        pad = ((void *)skb->data - sizeof(*local_tx_pd) -
-                headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
-        skb_push(skb, pad);
        skb_push(skb, sizeof(*local_tx_pd));
@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifiex_private *priv,
        local_tx_pd->bss_num = priv->bss_num;
        local_tx_pd->bss_type = priv->bss_type;
        /* Always zero as the data is followed by struct txpd */
-        local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +
+        local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
-                                                 pad);
        local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
        local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
-                                                 sizeof(*local_tx_pd) -
+                                                 sizeof(*local_tx_pd));
-                                                 pad);
        if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
                local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
                                       ra_list_flags);
                return -1;
        }
-        skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);
+        /* skb_aggr->data already 64 byte align, just reserve bus interface
+         * header and txpd.
+         */
+        skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
        tx_info_aggr =  MWIFIEX_SKB_TXCB(skb_aggr);
        memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));
author	Xinming Hu <huxm@marvell.com>	2017-01-11 11:11:24 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-05-14 08:00:15 -0400
commit	dcdeaa74334299fd98c29703aa82deec3ae6b37a (patch)
tree	ea1db89593dba7604f540f0f6fa8465abba9db6c
parent	525fda9221a8f78d214e42a6e18d1fd13d73dc11 (diff)

diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c index c47d6366875d..a75013ac84d7 100644 --- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c +++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifiex_private *priv,
101	{	101	{
102	struct txpd *local_tx_pd;	102	struct txpd *local_tx_pd;
103	struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);	103	struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
104	unsigned int pad;
105	int headroom = (priv->adapter->iface_type ==
106	MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
107
108	pad = ((void )skb->data - sizeof(local_tx_pd) -
109	headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
110	skb_push(skb, pad);
111		104
112	skb_push(skb, sizeof(*local_tx_pd));	105	skb_push(skb, sizeof(*local_tx_pd));
113		106
@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifiex_private *priv,
121	local_tx_pd->bss_num = priv->bss_num;	114	local_tx_pd->bss_num = priv->bss_num;
122	local_tx_pd->bss_type = priv->bss_type;	115	local_tx_pd->bss_type = priv->bss_type;
123	/* Always zero as the data is followed by struct txpd */	116	/* Always zero as the data is followed by struct txpd */
124	local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +	117	local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
125	pad);
126	local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);	118	local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
127	local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -	119	local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
128	sizeof(*local_tx_pd) -	120	sizeof(*local_tx_pd));
129	pad);
130		121
131	if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)	122	if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
132	local_tx_pd->flags \|= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;	123	local_tx_pd->flags \|= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
190	ra_list_flags);	181	ra_list_flags);
191	return -1;	182	return -1;
192	}	183	}
193	skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);	184
		185	/* skb_aggr->data already 64 byte align, just reserve bus interface
		186	* header and txpd.
		187	*/
		188	skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
194	tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);	189	tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);
195		190
196	memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));	191	memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));