From: Cathy Luo <[email protected]>
Sometimes host prepares and downloads a large amsdu packet to firmware
which leads to a memory corruption in firmware.
The reason is __dev_alloc_skb() may allocate larger buffer than required
size. This patch solves the problem by checking "adapter->tx_buf_size"
instead of relying on skb_tailroom().
Signed-off-by: Cathy Luo <[email protected]>
Signed-off-by: Amitkumar Karwar <[email protected]>
---
drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index dc49c3d..c47d636 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -205,7 +205,8 @@ mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
do {
/* Check if AMSDU can accommodate this MSDU */
- if (skb_tailroom(skb_aggr) < (skb_src->len + LLC_SNAP_LEN))
+ if ((skb_aggr->len + skb_src->len + LLC_SNAP_LEN) >
+ adapter->tx_buf_size)
break;
skb_src = skb_dequeue(&pra_list->skb_head);
--
1.9.1
> From: [email protected] [mailto:linux-wireless-
> [email protected]] On Behalf Of Kalle Valo
> Sent: Thursday, July 21, 2016 8:19 PM
> To: Amitkumar Karwar
> Cc: [email protected]; Cathy Luo; Nishant Sarmukadam
> Subject: Re: [PATCH] mwifiex: fix large amsdu packets causing firmware
> hang
>
> Amitkumar Karwar <[email protected]> writes:
>
> > From: Cathy Luo <[email protected]>
> >
> > Sometimes host prepares and downloads a large amsdu packet to firmware
> > which leads to a memory corruption in firmware.
> > The reason is __dev_alloc_skb() may allocate larger buffer than
> > required size. This patch solves the problem by checking "adapter-
> >tx_buf_size"
> > instead of relying on skb_tailroom().
> >
> > Signed-off-by: Cathy Luo <[email protected]>
> > Signed-off-by: Amitkumar Karwar <[email protected]>
>
> Should this go to 4.8 as an important fix?
>
Yes. Please.
Regards,
Amitkumar.
Amitkumar Karwar <[email protected]> writes:
> From: Cathy Luo <[email protected]>
>
> Sometimes host prepares and downloads a large amsdu packet to firmware
> which leads to a memory corruption in firmware.
> The reason is __dev_alloc_skb() may allocate larger buffer than required
> size. This patch solves the problem by checking "adapter->tx_buf_size"
> instead of relying on skb_tailroom().
>
> Signed-off-by: Cathy Luo <[email protected]>
> Signed-off-by: Amitkumar Karwar <[email protected]>
Should this go to 4.8 as an important fix?
--
Kalle Valo
Amitkumar Karwar <[email protected]> wrote:
> From: Cathy Luo <[email protected]>
>
> Sometimes host prepares and downloads a large amsdu packet to firmware
> which leads to a memory corruption in firmware.
> The reason is __dev_alloc_skb() may allocate larger buffer than required
> size. This patch solves the problem by checking "adapter->tx_buf_size"
> instead of relying on skb_tailroom().
>
> Signed-off-by: Cathy Luo <[email protected]>
> Signed-off-by: Amitkumar Karwar <[email protected]>
Thanks, 1 patch applied to wireless-drivers.git:
c81396f3da22 mwifiex: fix large amsdu packets causing firmware hang
--
Sent by pwcli
https://patchwork.kernel.org/patch/9241469/