rt2x00: Preserve descriptor information after memmove()

Due to usage of memmove() in rt2x00usb the descriptor can become corrupted because it is being overwritten by the data part. Overall having the descriptor in front of the frame is a bad idea, we can however use the skb->cb array for this task, since that contains more then enough room to hold the entire descriptor and preserve the information long enough. After this we can also cleanup the alignment code a bit to make it work a bit more flexible to allow for all kinds of odd header lengths. Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Ivo van Doorn <ivdoorn@gmail.com> 2008-05-10 07:43:38 -0400
committer: John W. Linville <linville@tuxdriver.com> 2008-05-21 21:47:32 -0400
commit: 70a96109439cba0af0780ee1dc25ec7ed15f0bae (patch)
tree: 1e6feb2b77486a90012f117201c13b35ab2020d7 /drivers/net/wireless/rt2x00/rt73usb.c
parent: 61448f88078e813bbaaa58eb775d650c85e7d407 (diff)
1 files changed, 11 insertions, 15 deletions
diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c
index 2191d8b94a89..1bcf8c132cdc 100644
--- a/drivers/net/wireless/rt2x00/rt73usb.c
+++ b/drivers/net/wireless/rt2x00/rt73usb.c
@@ -1403,20 +1403,22 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry,
 {
        struct skb_frame_desc *skbdesc = get_skb_frame_desc(entry->skb);
        __le32 *rxd = (__le32 *)entry->skb->data;
-        unsigned int offset = entry->queue->desc_size + 2;
        u32 word0;
        u32 word1;
        /*
-         * Copy descriptor to the available headroom inside the skbuffer.
+         * Copy descriptor to the skb->cb array, this has 2 benefits:
+         * 1) Each descriptor word is 4 byte aligned.
+         * 2) Descriptor is safe  from moving of frame data in rt2x00usb.
         */
-        skb_push(entry->skb, offset);
+        skbdesc->desc_len =
-        memcpy(entry->skb->data, rxd, entry->queue->desc_size);
+            min_t(u16, entry->queue->desc_size, sizeof(entry->skb->cb));
-        rxd = (__le32 *)entry->skb->data;
+        memcpy(entry->skb->cb, rxd, skbdesc->desc_len);
+        skbdesc->desc = entry->skb->cb;
+        rxd = (__le32 *)skbdesc->desc;
        /*
-         * The descriptor is now aligned to 4 bytes and thus it is
+         * It is now safe to read the descriptor on all architectures.
-         * now safe to read it on all architectures.
         */
        rt2x00_desc_read(rxd, 0, &word0);
        rt2x00_desc_read(rxd, 1, &word1);
@@ -1442,18 +1444,12 @@ static void rt73usb_fill_rxdone(struct queue_entry *entry,
                rxdesc->dev_flags |= RXDONE_MY_BSS;
        /*
-         * Adjust the skb memory window to the frame boundaries.
+         * Set skb pointers, and update frame information.
         */
-        skb_pull(entry->skb, offset + entry->queue->desc_size);
+        skb_pull(entry->skb, entry->queue->desc_size);
        skb_trim(entry->skb, rxdesc->size);
-        /*
-         * Set descriptor and data pointer.
-         */
        skbdesc->data = entry->skb->data;
        skbdesc->data_len = rxdesc->size;
-        skbdesc->desc = rxd;
-        skbdesc->desc_len = entry->queue->desc_size;
 }
 /*
author	Ivo van Doorn <ivdoorn@gmail.com>	2008-05-10 07:43:38 -0400
committer	John W. Linville <linville@tuxdriver.com>	2008-05-21 21:47:32 -0400
commit	70a96109439cba0af0780ee1dc25ec7ed15f0bae (patch)
tree	1e6feb2b77486a90012f117201c13b35ab2020d7 /drivers/net/wireless/rt2x00/rt73usb.c
parent	61448f88078e813bbaaa58eb775d650c85e7d407 (diff)