Página inicial Explorar Ajuda
Registrar Entrar
OpenWrt
/
openwrt
mirror de https://github.com/openwrt/openwrt.git
2
0
Fork 0
Arquivos Issues 0 Wiki
Tree: 61b5b4971e
Branches Tags
openwrt
/
package
/
kernel
/
mac80211
/
patches
/
384-mac80211-avoid-kernel-panic-when-building-AMSDU-from.patch

384-mac80211-avoid-kernel-panic-when-building-AMSDU-from.patch 3.2 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. From: Sara Sharon <[email protected]>
    2. 

  2. Date: Wed, 29 Aug 2018 08:57:02 +0200
    3. 

  3. Subject: [PATCH] mac80211: avoid kernel panic when building AMSDU from
    4. 

  4.  non-linear SKB
    5. 

  5. 

  6. When building building AMSDU from non-linear SKB, we hit a
    7. 

  7. kernel panic when trying to push the padding to the tail.
    8. 

  8. Instead, put the padding at the head of the next subframe.
    9. 

  9. This also fixes the A-MSDU subframes to not have the padding
    10. 

  10. accounted in the length field and not have pad at all for
    11. 

  11. the last subframe, both required by the spec.
    12. 

  12. 

  13. Fixes: 6e0456b54545 ("mac80211: add A-MSDU tx support")
    14. 

  14. Signed-off-by: Sara Sharon <[email protected]>
    15. 

  15. Reviewed-by: Lorenzo Bianconi <[email protected]>
    16. 

  16. Signed-off-by: Johannes Berg <[email protected]>
    17. 

  17. ---
    18. 

  18. 

  19. --- a/net/mac80211/tx.c
    20. 

  20. +++ b/net/mac80211/tx.c
    21. 

  21. @@ -3064,27 +3064,18 @@ void ieee80211_clear_fast_xmit(struct st
    22. 

  22.  }
    23. 

  23.  
    24. 

  24.  static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
    25. 

  25. -					struct sk_buff *skb, int headroom,
    26. 

  26. -					int *subframe_len)
    27. 

  27. +					struct sk_buff *skb, int headroom)
    28. 

  28.  {
    29. 

  29. -	int amsdu_len = *subframe_len + sizeof(struct ethhdr);
    30. 

  30. -	int padding = (4 - amsdu_len) & 3;
    31. 

  31. -
    32. 

  32. -	if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
    33. 

  33. +	if (skb_headroom(skb) < headroom) {
    34. 

  34.  		I802_DEBUG_INC(local->tx_expand_skb_head);
    35. 

  35.  
    36. 

  36. -		if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
    37. 

  37. +		if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
    38. 

  38.  			wiphy_debug(local->hw.wiphy,
    39. 

  39.  				    "failed to reallocate TX buffer\n");
    40. 

  40.  			return false;
    41. 

  41.  		}
    42. 

  42.  	}
    43. 

  43.  
    44. 

  44. -	if (padding) {
    45. 

  45. -		*subframe_len += padding;
    46. 

  46. -		skb_put_zero(skb, padding);
    47. 

  47. -	}
    48. 

  48. -
    49. 

  49.  	return true;
    50. 

  50.  }
    51. 

  51.  
    52. 

  52. @@ -3108,8 +3099,7 @@ static bool ieee80211_amsdu_prepare_head
    53. 

  53.  	if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
    54. 

  54.  		return true;
    55. 

  55.  
    56. 

  56. -	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
    57. 

  57. -					 &subframe_len))
    58. 

  58. +	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
    59. 

  59.  		return false;
    60. 

  60.  
    61. 

  61.  	data = skb_push(skb, sizeof(*amsdu_hdr));
    62. 

  62. @@ -3176,7 +3166,8 @@ static bool ieee80211_amsdu_aggregate(st
    63. 

  63.  	void *data;
    64. 

  64.  	bool ret = false;
    65. 

  65.  	unsigned int orig_len;
    66. 

  66. -	int n = 1, nfrags;
    67. 

  67. +	int n = 1, nfrags, pad = 0;
    68. 

  68. +	u16 hdrlen;
    69. 

  69.  
    70. 

  70.  	if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
    71. 

  71.  		return false;
    72. 

  72. @@ -3228,8 +3219,19 @@ static bool ieee80211_amsdu_aggregate(st
    73. 

  73.  	if (max_frags && nfrags > max_frags)
    74. 

  74.  		goto out;
    75. 

  75.  
    76. 

  76. -	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
    77. 

  77. -					 &subframe_len))
    78. 

  78. +	/*
    79. 

  79. +	 * Pad out the previous subframe to a multiple of 4 by adding the
    80. 

  80. +	 * padding to the next one, that's being added. Note that head->len
    81. 

  81. +	 * is the length of the full A-MSDU, but that works since each time
    82. 

  82. +	 * we add a new subframe we pad out the previous one to a multiple
    83. 

  83. +	 * of 4 and thus it no longer matters in the next round.
    84. 

  84. +	 */
    85. 

  85. +	hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
    86. 

  86. +	if ((head->len - hdrlen) & 3)
    87. 

  87. +		pad = 4 - ((head->len - hdrlen) & 3);
    88. 

  88. +
    89. 

  89. +	if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
    90. 

  90. +						     2 + pad))
    91. 

  91.  		goto out;
    92. 

  92.  
    93. 

  93.  	ret = true;
    94. 

  94. @@ -3241,6 +3243,8 @@ static bool ieee80211_amsdu_aggregate(st
    95. 

  95.  	memcpy(data, &len, 2);
    96. 

  96.  	memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
    97. 

  97.  
    98. 

  98. +	memset(skb_push(skb, pad), 0, pad);
    99. 

  99. +
    100. 

  100.  	head->len += skb->len;
    101. 

  101.  	head->data_len += skb->len;
    102. 

  102.  	*frag_tail = skb;
    103.