aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/net/wireless
diff options
context:
space:
mode:
authorDaniel C Halperin <daniel.c.halperin@intel.com>2009-08-13 16:31:01 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-08-20 11:33:13 -0400
commit396887a2b2ad1ef5e5526fec34dec582baf39b81 (patch)
tree5730d04dedb1cbd97ececce93c039b642d8abaa1 /drivers/net/wireless
parent15993e08ac027b64b6f3400d32754966b4cac7b0 (diff)
iwlwifi: fix erroneous use of iwl_rx_packet.len as a length
The field called 'len' in struct iwl_rx_packet is in fact not just a length field but also includes some flags from the flow handler. In several places throughout the driver, this causes incorrect values to be interpreted as lengths when the field is improperly masked. In most situations the improper use is for debugging output, and simply results in an erroneous message, such as: [551933.070224] ieee80211 phy0: I iwl_rx_statistics Statistics notification received (480 vs -1367342620). which should read '(480 vs 484)'. In at least one case this could case bad things to happen: void iwl_rx_pm_debug_statistics_notif(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) { struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data; IWL_DEBUG_RADIO(priv, "Dumping %d bytes of unhandled " "notification for %s:\n", le32_to_cpu(pkt->len), get_cmd_string(pkt->hdr.cmd)); iwl_print_hex_dump(priv, IWL_DL_RADIO, pkt->u.raw, le32_to_cpu(pkt->len) ); } EXPORT_SYMBOL(iwl_rx_pm_debug_statistics_notif); Given the rampant misuse of this field without proper masking throughout the driver (every use but one), this patch renames the field from 'len' to 'len_n_flags' to reduce confusion. It also adds the proper masking when this field is used as a length value. Signed-off-by: Daniel C Halperin <daniel.c.halperin@intel.com> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless')
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-3945.c5
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-5000.c2
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-commands.h2
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-core.c7
-rw-r--r--drivers/net/wireless/iwlwifi/iwl-rx.c3
5 files changed, 11 insertions, 8 deletions
diff --git a/drivers/net/wireless/iwlwifi/iwl-3945.c b/drivers/net/wireless/iwlwifi/iwl-3945.c
index b5a4d2ecdd2d..e9a685d8e3a1 100644
--- a/drivers/net/wireless/iwlwifi/iwl-3945.c
+++ b/drivers/net/wireless/iwlwifi/iwl-3945.c
@@ -349,12 +349,13 @@ static void iwl3945_rx_reply_tx(struct iwl_priv *priv,
349 * 349 *
350 *****************************************************************************/ 350 *****************************************************************************/
351 351
352void iwl3945_hw_rx_statistics(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb) 352void iwl3945_hw_rx_statistics(struct iwl_priv *priv,
353 struct iwl_rx_mem_buffer *rxb)
353{ 354{
354 struct iwl_rx_packet *pkt = (void *)rxb->skb->data; 355 struct iwl_rx_packet *pkt = (void *)rxb->skb->data;
355 IWL_DEBUG_RX(priv, "Statistics notification received (%d vs %d).\n", 356 IWL_DEBUG_RX(priv, "Statistics notification received (%d vs %d).\n",
356 (int)sizeof(struct iwl3945_notif_statistics), 357 (int)sizeof(struct iwl3945_notif_statistics),
357 le32_to_cpu(pkt->len)); 358 le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK);
358 359
359 memcpy(&priv->statistics_39, pkt->u.raw, sizeof(priv->statistics_39)); 360 memcpy(&priv->statistics_39, pkt->u.raw, sizeof(priv->statistics_39));
360 361
diff --git a/drivers/net/wireless/iwlwifi/iwl-5000.c b/drivers/net/wireless/iwlwifi/iwl-5000.c
index 720d234c9736..1d539e3b8db1 100644
--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
+++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
@@ -494,7 +494,7 @@ static void iwl5000_rx_calib_result(struct iwl_priv *priv,
494{ 494{
495 struct iwl_rx_packet *pkt = (void *)rxb->skb->data; 495 struct iwl_rx_packet *pkt = (void *)rxb->skb->data;
496 struct iwl_calib_hdr *hdr = (struct iwl_calib_hdr *)pkt->u.raw; 496 struct iwl_calib_hdr *hdr = (struct iwl_calib_hdr *)pkt->u.raw;
497 int len = le32_to_cpu(pkt->len) & FH_RSCSR_FRAME_SIZE_MSK; 497 int len = le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK;
498 int index; 498 int index;
499 499
500 /* reduce the size of the length field itself */ 500 /* reduce the size of the length field itself */
diff --git a/drivers/net/wireless/iwlwifi/iwl-commands.h b/drivers/net/wireless/iwlwifi/iwl-commands.h
index 9398ad7e42b1..f4303843ff9b 100644
--- a/drivers/net/wireless/iwlwifi/iwl-commands.h
+++ b/drivers/net/wireless/iwlwifi/iwl-commands.h
@@ -3482,7 +3482,7 @@ struct iwl_wimax_coex_cmd {
3482 *****************************************************************************/ 3482 *****************************************************************************/
3483 3483
3484struct iwl_rx_packet { 3484struct iwl_rx_packet {
3485 __le32 len; 3485 __le32 len_n_flags;
3486 struct iwl_cmd_header hdr; 3486 struct iwl_cmd_header hdr;
3487 union { 3487 union {
3488 struct iwl3945_rx_frame rx_frame; 3488 struct iwl3945_rx_frame rx_frame;
diff --git a/drivers/net/wireless/iwlwifi/iwl-core.c b/drivers/net/wireless/iwlwifi/iwl-core.c
index 62aa87b4358a..f4c2431017e2 100644
--- a/drivers/net/wireless/iwlwifi/iwl-core.c
+++ b/drivers/net/wireless/iwlwifi/iwl-core.c
@@ -2294,10 +2294,11 @@ void iwl_rx_pm_debug_statistics_notif(struct iwl_priv *priv,
2294 struct iwl_rx_mem_buffer *rxb) 2294 struct iwl_rx_mem_buffer *rxb)
2295{ 2295{
2296 struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data; 2296 struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data;
2297 u32 len = le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK;
2297 IWL_DEBUG_RADIO(priv, "Dumping %d bytes of unhandled " 2298 IWL_DEBUG_RADIO(priv, "Dumping %d bytes of unhandled "
2298 "notification for %s:\n", 2299 "notification for %s:\n", len,
2299 le32_to_cpu(pkt->len), get_cmd_string(pkt->hdr.cmd)); 2300 get_cmd_string(pkt->hdr.cmd));
2300 iwl_print_hex_dump(priv, IWL_DL_RADIO, pkt->u.raw, le32_to_cpu(pkt->len)); 2301 iwl_print_hex_dump(priv, IWL_DL_RADIO, pkt->u.raw, len);
2301} 2302}
2302EXPORT_SYMBOL(iwl_rx_pm_debug_statistics_notif); 2303EXPORT_SYMBOL(iwl_rx_pm_debug_statistics_notif);
2303 2304
diff --git a/drivers/net/wireless/iwlwifi/iwl-rx.c b/drivers/net/wireless/iwlwifi/iwl-rx.c
index 092d3276175a..353d9a2ddbca 100644
--- a/drivers/net/wireless/iwlwifi/iwl-rx.c
+++ b/drivers/net/wireless/iwlwifi/iwl-rx.c
@@ -539,7 +539,8 @@ void iwl_rx_statistics(struct iwl_priv *priv,
539 struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data; 539 struct iwl_rx_packet *pkt = (struct iwl_rx_packet *)rxb->skb->data;
540 540
541 IWL_DEBUG_RX(priv, "Statistics notification received (%d vs %d).\n", 541 IWL_DEBUG_RX(priv, "Statistics notification received (%d vs %d).\n",
542 (int)sizeof(priv->statistics), pkt->len); 542 (int)sizeof(priv->statistics),
543 le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK);
543 544
544 change = ((priv->statistics.general.temperature != 545 change = ((priv->statistics.general.temperature !=
545 pkt->u.stats.general.temperature) || 546 pkt->u.stats.general.temperature) ||