aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorInaky Perez-Gonzalez <inaky@linux.intel.com>2009-05-20 20:16:05 -0400
committerInaky Perez-Gonzalez <inaky@linux.intel.com>2009-06-11 06:30:21 -0400
commitc56affafdd29eb9764b0e35e3434cc06f6bc3781 (patch)
treeb79de2da47cba80882ae85cf7f271cc7f574a27e
parent8593a1967fb9746d318dde88a0a39a36dbfc3445 (diff)
wimax/i2400m: fix panic/warnings caused by missed check on empty TX message
In some situations, when a new TX message header is started, there might be no space for data payloads. In this case the message is left with zero payloads and the i2400m_tx_close() function has just to mark it as "to skip". If it tries to go ahead it will overwrite things because there is no space to add padding as defined by the bus-specific layer. This can cause buffer overruns and in some stress cases, panics. Found and diagnosed by Cindy H. Kao. Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
-rw-r--r--drivers/net/wimax/i2400m/tx.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/net/wimax/i2400m/tx.c b/drivers/net/wimax/i2400m/tx.c
index a635fd720f3e..7c46c05a5866 100644
--- a/drivers/net/wimax/i2400m/tx.c
+++ b/drivers/net/wimax/i2400m/tx.c
@@ -474,10 +474,18 @@ void i2400m_tx_close(struct i2400m *i2400m)
474 struct i2400m_msg_hdr *tx_msg_moved; 474 struct i2400m_msg_hdr *tx_msg_moved;
475 size_t aligned_size, padding, hdr_size; 475 size_t aligned_size, padding, hdr_size;
476 void *pad_buf; 476 void *pad_buf;
477 unsigned num_pls;
477 478
478 if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */ 479 if (tx_msg->size & I2400M_TX_SKIP) /* a skipper? nothing to do */
479 goto out; 480 goto out;
480 481 num_pls = le16_to_cpu(tx_msg->num_pls);
482 /* We can get this situation when a new message was started
483 * and there was no space to add payloads before hitting the
484 tail (and taking padding into consideration). */
485 if (num_pls == 0) {
486 tx_msg->size |= I2400M_TX_SKIP;
487 goto out;
488 }
481 /* Relocate the message header 489 /* Relocate the message header
482 * 490 *
483 * Find the current header size, align it to 16 and if we need 491 * Find the current header size, align it to 16 and if we need