diff options
| author | Christian Lamparter <chunkeey@web.de> | 2009-07-16 14:05:41 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2009-07-24 15:05:22 -0400 |
| commit | 436b37c59416d0d8e21430f7980857fc932eb1e6 (patch) | |
| tree | 3c603e2495571b2e51f7679863a22c9f507a231c | |
| parent | 46df10ae44b4488176bae16da0b31541eb0f8f48 (diff) | |
p54: fix a fw crash caused by statistic feedback
This patch fixes a bug which crawled into the tree with the split-up
changes.
The memory-manager wasn't aware of the statistic feedback
extra_len space requirements and happily placed following frames
into the allegedly free spots.
Thanks fly out to Larry Finger for taking the time to
test all (permutations of) patches and theories all day long.
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
| -rw-r--r-- | drivers/net/wireless/p54/fwio.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/drivers/net/wireless/p54/fwio.c b/drivers/net/wireless/p54/fwio.c index 349375f4a14b..21f19018fab5 100644 --- a/drivers/net/wireless/p54/fwio.c +++ b/drivers/net/wireless/p54/fwio.c | |||
| @@ -686,6 +686,8 @@ int p54_upload_key(struct p54_common *priv, u8 algo, int slot, u8 idx, u8 len, | |||
| 686 | 686 | ||
| 687 | int p54_fetch_statistics(struct p54_common *priv) | 687 | int p54_fetch_statistics(struct p54_common *priv) |
| 688 | { | 688 | { |
| 689 | struct ieee80211_tx_info *txinfo; | ||
| 690 | struct p54_tx_info *p54info; | ||
| 689 | struct sk_buff *skb; | 691 | struct sk_buff *skb; |
| 690 | 692 | ||
| 691 | skb = p54_alloc_skb(priv, P54_HDR_FLAG_CONTROL, | 693 | skb = p54_alloc_skb(priv, P54_HDR_FLAG_CONTROL, |
| @@ -694,6 +696,20 @@ int p54_fetch_statistics(struct p54_common *priv) | |||
| 694 | if (!skb) | 696 | if (!skb) |
| 695 | return -ENOMEM; | 697 | return -ENOMEM; |
| 696 | 698 | ||
| 699 | /* | ||
| 700 | * The statistic feedback causes some extra headaches here, if it | ||
| 701 | * is not to crash/corrupt the firmware data structures. | ||
| 702 | * | ||
| 703 | * Unlike all other Control Get OIDs we can not use helpers like | ||
| 704 | * skb_put to reserve the space for the data we're requesting. | ||
| 705 | * Instead the extra frame length -which will hold the results later- | ||
| 706 | * will only be told to the p54_assign_address, so that following | ||
| 707 | * frames won't be placed into the allegedly empty area. | ||
| 708 | */ | ||
| 709 | txinfo = IEEE80211_SKB_CB(skb); | ||
| 710 | p54info = (void *) txinfo->rate_driver_data; | ||
| 711 | p54info->extra_len = sizeof(struct p54_statistics); | ||
| 712 | |||
| 697 | p54_tx(priv, skb); | 713 | p54_tx(priv, skb); |
| 698 | return 0; | 714 | return 0; |
| 699 | } | 715 | } |