aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--drivers/net/wireless/ath/ath9k/htc_drv_txrx.c44
1 files changed, 22 insertions, 22 deletions
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index 08bfe5d81c17..28abc7d5e909 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -448,10 +448,32 @@ static bool ath9k_rx_prepare(struct ath9k_htc_priv *priv,
448 struct ieee80211_hw *hw = priv->hw; 448 struct ieee80211_hw *hw = priv->hw;
449 struct sk_buff *skb = rxbuf->skb; 449 struct sk_buff *skb = rxbuf->skb;
450 struct ath_common *common = ath9k_hw_common(priv->ah); 450 struct ath_common *common = ath9k_hw_common(priv->ah);
451 struct ath_htc_rx_status *rxstatus;
451 int hdrlen, padpos, padsize; 452 int hdrlen, padpos, padsize;
452 int last_rssi = ATH_RSSI_DUMMY_MARKER; 453 int last_rssi = ATH_RSSI_DUMMY_MARKER;
453 __le16 fc; 454 __le16 fc;
454 455
456 if (skb->len <= HTC_RX_FRAME_HEADER_SIZE) {
457 ath_print(common, ATH_DBG_FATAL,
458 "Corrupted RX frame, dropping\n");
459 goto rx_next;
460 }
461
462 rxstatus = (struct ath_htc_rx_status *)skb->data;
463
464 if (be16_to_cpu(rxstatus->rs_datalen) -
465 (skb->len - HTC_RX_FRAME_HEADER_SIZE) != 0) {
466 ath_print(common, ATH_DBG_FATAL,
467 "Corrupted RX data len, dropping "
468 "(dlen: %d, skblen: %d)\n",
469 rxstatus->rs_datalen, skb->len);
470 goto rx_next;
471 }
472
473 /* Get the RX status information */
474 memcpy(&rxbuf->rxstatus, rxstatus, HTC_RX_FRAME_HEADER_SIZE);
475 skb_pull(skb, HTC_RX_FRAME_HEADER_SIZE);
476
455 hdr = (struct ieee80211_hdr *)skb->data; 477 hdr = (struct ieee80211_hdr *)skb->data;
456 fc = hdr->frame_control; 478 fc = hdr->frame_control;
457 hdrlen = ieee80211_get_hdrlen_from_skb(skb); 479 hdrlen = ieee80211_get_hdrlen_from_skb(skb);
@@ -616,8 +638,6 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb,
616 struct ath_hw *ah = priv->ah; 638 struct ath_hw *ah = priv->ah;
617 struct ath_common *common = ath9k_hw_common(ah); 639 struct ath_common *common = ath9k_hw_common(ah);
618 struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL; 640 struct ath9k_htc_rxbuf *rxbuf = NULL, *tmp_buf = NULL;
619 struct ath_htc_rx_status *rxstatus;
620 u32 len = 0;
621 641
622 spin_lock(&priv->rx.rxbuflock); 642 spin_lock(&priv->rx.rxbuflock);
623 list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) { 643 list_for_each_entry(tmp_buf, &priv->rx.rxbuf, list) {
@@ -634,27 +654,7 @@ void ath9k_htc_rxep(void *drv_priv, struct sk_buff *skb,
634 goto err; 654 goto err;
635 } 655 }
636 656
637 len = skb->len;
638 if (len <= HTC_RX_FRAME_HEADER_SIZE) {
639 ath_print(common, ATH_DBG_FATAL,
640 "Corrupted RX frame, dropping\n");
641 goto err;
642 }
643
644 rxstatus = (struct ath_htc_rx_status *)skb->data;
645
646 if (be16_to_cpu(rxstatus->rs_datalen) -
647 (len - HTC_RX_FRAME_HEADER_SIZE) != 0) {
648 ath_print(common, ATH_DBG_FATAL,
649 "Corrupted RX data len, dropping "
650 "(epid: %d, dlen: %d, skblen: %d)\n",
651 ep_id, rxstatus->rs_datalen, len);
652 goto err;
653 }
654
655 spin_lock(&priv->rx.rxbuflock); 657 spin_lock(&priv->rx.rxbuflock);
656 memcpy(&rxbuf->rxstatus, rxstatus, HTC_RX_FRAME_HEADER_SIZE);
657 skb_pull(skb, HTC_RX_FRAME_HEADER_SIZE);
658 rxbuf->skb = skb; 658 rxbuf->skb = skb;
659 rxbuf->in_process = true; 659 rxbuf->in_process = true;
660 spin_unlock(&priv->rx.rxbuflock); 660 spin_unlock(&priv->rx.rxbuflock);
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-13 17:07:53 -0400