In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap
only"), buffers whose length is too short cause a WARN_ON(1) to be
executed. This change exposed a fault in rtlwifi drivers, which is fixed
by increasing the length of the affected buffer before it is sent to
mac80211.
Cc: Stable <[email protected]> # v5.0+
Signed-off-by: Larry Finger <[email protected]>
---
Kalle,
Please send to v5.4.
Larry
---
drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
index 6087ec7a90a6..bb5144b7c64f 100644
--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
+++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
@@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw,
dev_kfree_skb_any(skb);
} else {
struct sk_buff *uskb = NULL;
+ int len = skb->len;
+ if (unlikely(len <= FCS_LEN))
+ len = FCS_LEN + 2;
uskb = dev_alloc_skb(skb->len + 128);
if (likely(uskb)) {
memcpy(IEEE80211_SKB_RXCB(uskb), &rx_status,
--
2.23.0
Hi,
This patch doesn't appear to do anything? The increased length is not actually
used, is a part of the patch missing?
ps: superficial reading, i am not hampered by any specific knowledge of this driver.
On 2019-10-19 21:02, Larry Finger wrote:
> In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap
> only"), buffers whose length is too short cause a WARN_ON(1) to be
> executed. This change exposed a fault in rtlwifi drivers, which is fixed
> by increasing the length of the affected buffer before it is sent to
> mac80211.
>
> Cc: Stable <[email protected]> # v5.0+
> Signed-off-by: Larry Finger <[email protected]>
> ---
>
> Kalle,
>
> Please send to v5.4.
>
> Larry
> ---
>
> drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
> index 6087ec7a90a6..bb5144b7c64f 100644
> --- a/drivers/net/wireless/realtek/rtlwifi/pci.c
> +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
> @@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw,
> dev_kfree_skb_any(skb);
> } else {
> struct sk_buff *uskb = NULL;
> + int len = skb->len;
>
> + if (unlikely(len <= FCS_LEN))
> + len = FCS_LEN + 2;
> uskb = dev_alloc_skb(skb->len + 128);
> if (likely(uskb)) {
> memcpy(IEEE80211_SKB_RXCB(uskb), &rx_status,
>
On 10/19/19 5:23 PM, ian.schram wrote:
> Hi,
>
>
> This patch doesn't appear to do anything? The increased length is not actually
> used, is a part of the patch missing?
>
>
> ps: superficial reading, i am not hampered by any specific knowledge of this
> driver.
>
> On 2019-10-19 21:02, Larry Finger wrote:
>> In commit 8020919a9b99 ("mac80211: Properly handle SKB with radiotap
>> only"), buffers whose length is too short cause a WARN_ON(1) to be
>> executed. This change exposed a fault in rtlwifi drivers, which is fixed
>> by increasing the length of the affected buffer before it is sent to
>> mac80211.
>>
>> Cc: Stable <[email protected]> # v5.0+
>> Signed-off-by: Larry Finger <[email protected]>
>> ---
>>
>> Kalle,
>>
>> Please send to v5.4.
>>
>> Larry
>> ---
>>
>> drivers/net/wireless/realtek/rtlwifi/pci.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c
>> b/drivers/net/wireless/realtek/rtlwifi/pci.c
>> index 6087ec7a90a6..bb5144b7c64f 100644
>> --- a/drivers/net/wireless/realtek/rtlwifi/pci.c
>> +++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
>> @@ -692,7 +692,10 @@ static void _rtl_pci_rx_to_mac80211(struct ieee80211_hw *hw,
>> dev_kfree_skb_any(skb);
>> } else {
>> struct sk_buff *uskb = NULL;
>> + int len = skb->len;
>> + if (unlikely(len <= FCS_LEN))
>> + len = FCS_LEN + 2;
>> uskb = dev_alloc_skb(skb->len + 128);
>> if (likely(uskb)) {
>> memcpy(IEEE80211_SKB_RXCB(uskb), &rx_status,
>>
Ian,
Yes, I debugged using a different tree and missed one use of the new len. V2
submitted.
Thanks for noticing.
Larry