aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2009-03-27 17:51:58 -0400
committerJohn W. Linville <linville@tuxdriver.com>2009-04-16 10:39:03 -0400
commitec9a1d8c13e36440eda0f3c79b8149080e3ab5ba (patch)
tree1161df766e28187c41ed527d7a7334a9e74f0304 /drivers
parentb3631286aca3f54427ca0eb950981e9753866f6c (diff)
b43: Poison RX buffers
This patch adds poisoning and sanity checking to the RX DMA buffers. This is used for protection against buggy hardware/firmware that raises RX interrupts without doing an actual DMA transfer. This mechanism protects against rare "bad packets" (due to uninitialized skb data) and rare kernel crashes due to uninitialized RX headers. The poison is selected to not match on valid frames and to be cheap for checking. The poison check mechanism _might_ trigger incorrectly, if we are voluntarily receiving frames with bad PLCP headers. However, this is nonfatal, because the chance of such a match is basically zero and in case it happens it just results in dropping the packet. Bad-PLCP RX defaults to off, and you should leave it off unless you want to listen to the latest news broadcasted by your microwave oven. This patch also moves the initialization of the RX-header "length" field in front of the mapping of the DMA buffer. The CPU should not touch the buffer after we mapped it. Cc: stable@kernel.org Reported-by: Francesco Gringoli <francesco.gringoli@ing.unibs.it> Signed-off-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/b43/dma.c37
1 files changed, 33 insertions, 4 deletions
diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c
index e228c1de6e11..dfa6c72c3bd2 100644
--- a/drivers/net/wireless/b43/dma.c
+++ b/drivers/net/wireless/b43/dma.c
@@ -555,11 +555,32 @@ address_error:
555 return 1; 555 return 1;
556} 556}
557 557
558static bool b43_rx_buffer_is_poisoned(struct b43_dmaring *ring, struct sk_buff *skb)
559{
560 unsigned char *f = skb->data + ring->frameoffset;
561
562 return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7]) == 0xFF);
563}
564
565static void b43_poison_rx_buffer(struct b43_dmaring *ring, struct sk_buff *skb)
566{
567 struct b43_rxhdr_fw4 *rxhdr;
568 unsigned char *frame;
569
570 /* This poisons the RX buffer to detect DMA failures. */
571
572 rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
573 rxhdr->frame_len = 0;
574
575 B43_WARN_ON(ring->rx_buffersize < ring->frameoffset + sizeof(struct b43_plcp_hdr6) + 2);
576 frame = skb->data + ring->frameoffset;
577 memset(frame, 0xFF, sizeof(struct b43_plcp_hdr6) + 2 /* padding */);
578}
579
558static int setup_rx_descbuffer(struct b43_dmaring *ring, 580static int setup_rx_descbuffer(struct b43_dmaring *ring,
559 struct b43_dmadesc_generic *desc, 581 struct b43_dmadesc_generic *desc,
560 struct b43_dmadesc_meta *meta, gfp_t gfp_flags) 582 struct b43_dmadesc_meta *meta, gfp_t gfp_flags)
561{ 583{
562 struct b43_rxhdr_fw4 *rxhdr;
563 dma_addr_t dmaaddr; 584 dma_addr_t dmaaddr;
564 struct sk_buff *skb; 585 struct sk_buff *skb;
565 586
@@ -568,6 +589,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
568 skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); 589 skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
569 if (unlikely(!skb)) 590 if (unlikely(!skb))
570 return -ENOMEM; 591 return -ENOMEM;
592 b43_poison_rx_buffer(ring, skb);
571 dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0); 593 dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0);
572 if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) { 594 if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) {
573 /* ugh. try to realloc in zone_dma */ 595 /* ugh. try to realloc in zone_dma */
@@ -578,6 +600,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
578 skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); 600 skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags);
579 if (unlikely(!skb)) 601 if (unlikely(!skb))
580 return -ENOMEM; 602 return -ENOMEM;
603 b43_poison_rx_buffer(ring, skb);
581 dmaaddr = map_descbuffer(ring, skb->data, 604 dmaaddr = map_descbuffer(ring, skb->data,
582 ring->rx_buffersize, 0); 605 ring->rx_buffersize, 0);
583 if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) { 606 if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) {
@@ -592,9 +615,6 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring,
592 ring->ops->fill_descriptor(ring, desc, dmaaddr, 615 ring->ops->fill_descriptor(ring, desc, dmaaddr,
593 ring->rx_buffersize, 0, 0, 0); 616 ring->rx_buffersize, 0, 0, 0);
594 617
595 rxhdr = (struct b43_rxhdr_fw4 *)(skb->data);
596 rxhdr->frame_len = 0;
597
598 return 0; 618 return 0;
599} 619}
600 620
@@ -1489,6 +1509,15 @@ static void dma_rx(struct b43_dmaring *ring, int *slot)
1489 goto drop; 1509 goto drop;
1490 } 1510 }
1491 } 1511 }
1512 if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) {
1513 /* Something went wrong with the DMA.
1514 * The device did not touch the buffer and did not overwrite the poison. */
1515 b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n");
1516 /* recycle the descriptor buffer. */
1517 sync_descbuffer_for_device(ring, meta->dmaaddr,
1518 ring->rx_buffersize);
1519 goto drop;
1520 }
1492 if (unlikely(len > ring->rx_buffersize)) { 1521 if (unlikely(len > ring->rx_buffersize)) {
1493 /* The data did not fit into one descriptor buffer 1522 /* The data did not fit into one descriptor buffer
1494 * and is split over multiple buffers. 1523 * and is split over multiple buffers.