[thirdparty/kernel/stable-queue.git] / releases / 4.9.28 / mwifiex-remove-redundant-dma-padding-in-amsdu.patch

From 5f0a221f59ad6b72202ef9c6e232086de8c336f2 Mon Sep 17 00:00:00 2001
From: Xinming Hu <huxm@marvell.com>
Date: Wed, 11 Jan 2017 21:41:24 +0530
Subject: mwifiex: remove redundant dma padding in AMSDU

From: Xinming Hu <huxm@marvell.com>

commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream.

We already ensure 64 bytes alignment and add padding if required
during skb_aggr allocation.

Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant.
We may end up accessing more data than allocated size with this.

This patch fixes following issue by removing redundant padding.

[  370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550
put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev:<NULL>
[  370.241374] ------------[ cut here ]------------
[  370.241382] kernel BUG at net/core/skbuff.c:104!
  370.244032] Call Trace:
[  370.244041]  [<ffffffff8c3df5ec>] skb_put+0x44/0x45
[  370.244055]  [<ffffffffc046946a>]
mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex]
[  370.244067]  [<ffffffffc0467c16>] mwifiex_wmm_process_tx+0x44a/0x6b7
[mwifiex]
[  370.244074]  [<ffffffffc0411eb8>] ? 0xffffffffc0411eb8
[  370.244084]  [<ffffffffc046116b>] mwifiex_main_process+0x476/0x5a5
[mwifiex]
[  370.244098]  [<ffffffffc0461298>] mwifiex_main_process+0x5a3/0x5a5
[mwifiex]
[  370.244113]  [<ffffffff8be7e9ff>] process_one_work+0x1a4/0x309
[  370.244123]  [<ffffffff8be7f4ca>] worker_thread+0x20c/0x2ee
[  370.244130]  [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
[  370.244136]  [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
[  370.244143]  [<ffffffff8be83742>] kthread+0x11c/0x124
[  370.244150]  [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
[  370.244157]  [<ffffffff8c4da1ef>] ret_from_fork+0x3f/0x70
[  370.244168]  [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24

Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned")
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/marvell/mwifiex/11n_aggr.c |   19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
 {
 	struct txpd *local_tx_pd;
 	struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
-	unsigned int pad;
-	int headroom = (priv->adapter->iface_type ==
-			MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
-
-	pad = ((void *)skb->data - sizeof(*local_tx_pd) -
-		headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
-	skb_push(skb, pad);
 
 	skb_push(skb, sizeof(*local_tx_pd));
 
@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
 	local_tx_pd->bss_num = priv->bss_num;
 	local_tx_pd->bss_type = priv->bss_type;
 	/* Always zero as the data is followed by struct txpd */
-	local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +
-						 pad);
+	local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
 	local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
 	local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
-						 sizeof(*local_tx_pd) -
-						 pad);
+						 sizeof(*local_tx_pd));
 
 	if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
 		local_tx_pd->flags |= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex
 				       ra_list_flags);
 		return -1;
 	}
-	skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);
+
+	/* skb_aggr->data already 64 byte align, just reserve bus interface
+	 * header and txpd.
+	 */
+	skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
 	tx_info_aggr =  MWIFIEX_SKB_TXCB(skb_aggr);
 
 	memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));
Commit	Line	Data
b74db2ac GKH	1	From 5f0a221f59ad6b72202ef9c6e232086de8c336f2 Mon Sep 17 00:00:00 2001
	2	From: Xinming Hu <huxm@marvell.com>
	3	Date: Wed, 11 Jan 2017 21:41:24 +0530
	4	Subject: mwifiex: remove redundant dma padding in AMSDU
	5
	6	From: Xinming Hu <huxm@marvell.com>
	7
	8	commit 5f0a221f59ad6b72202ef9c6e232086de8c336f2 upstream.
	9
	10	We already ensure 64 bytes alignment and add padding if required
	11	during skb_aggr allocation.
	12
	13	Alignment and padding in mwifiex_11n_form_amsdu_txpd() is redundant.
	14	We may end up accessing more data than allocated size with this.
	15
	16	This patch fixes following issue by removing redundant padding.
	17
	18	[ 370.241338] skbuff: skb_over_panic: text:ffffffffc046946a len:3550
	19	put:72 head:ffff880000110000 data:ffff8800001100e4 tail:0xec2 end:0xec0 dev:<NULL>
	20	[ 370.241374] ------------[ cut here ]------------
	21	[ 370.241382] kernel BUG at net/core/skbuff.c:104!
	22	370.244032] Call Trace:
	23	[ 370.244041] [<ffffffff8c3df5ec>] skb_put+0x44/0x45
	24	[ 370.244055] [<ffffffffc046946a>]
	25	mwifiex_11n_aggregate_pkt+0x1e9/0xa50 [mwifiex]
	26	[ 370.244067] [<ffffffffc0467c16>] mwifiex_wmm_process_tx+0x44a/0x6b7
	27	[mwifiex]
	28	[ 370.244074] [<ffffffffc0411eb8>] ? 0xffffffffc0411eb8
	29	[ 370.244084] [<ffffffffc046116b>] mwifiex_main_process+0x476/0x5a5
	30	[mwifiex]
	31	[ 370.244098] [<ffffffffc0461298>] mwifiex_main_process+0x5a3/0x5a5
	32	[mwifiex]
	33	[ 370.244113] [<ffffffff8be7e9ff>] process_one_work+0x1a4/0x309
	34	[ 370.244123] [<ffffffff8be7f4ca>] worker_thread+0x20c/0x2ee
	35	[ 370.244130] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
	36	[ 370.244136] [<ffffffff8be7f2be>] ? rescuer_thread+0x383/0x383
	37	[ 370.244143] [<ffffffff8be83742>] kthread+0x11c/0x124
	38	[ 370.244150] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
	39	[ 370.244157] [<ffffffff8c4da1ef>] ret_from_fork+0x3f/0x70
	40	[ 370.244168] [<ffffffff8be83626>] ? kthread_parkme+0x24/0x24
	41
	42	Fixes: 84b313b35f8158d ("mwifiex: make tx packet 64 byte DMA aligned")
	43	Signed-off-by: Xinming Hu <huxm@marvell.com>
	44	Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
	45	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	46	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	47
	48	---
	49	drivers/net/wireless/marvell/mwifiex/11n_aggr.c \| 19 +++++++------------
	50	1 file changed, 7 insertions(+), 12 deletions(-)
	51
	52	--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
	53	+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
	54	@@ -101,13 +101,6 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
	55	{
	56	struct txpd *local_tx_pd;
	57	struct mwifiex_txinfo *tx_info = MWIFIEX_SKB_TXCB(skb);
	58	- unsigned int pad;
	59	- int headroom = (priv->adapter->iface_type ==
	60	- MWIFIEX_USB) ? 0 : INTF_HEADER_LEN;
	61	-
	62	- pad = ((void )skb->data - sizeof(local_tx_pd) -
	63	- headroom - NULL) & (MWIFIEX_DMA_ALIGN_SZ - 1);
	64	- skb_push(skb, pad);
65
66	skb_push(skb, sizeof(*local_tx_pd));
67
68	@@ -121,12 +114,10 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi
69	local_tx_pd->bss_num = priv->bss_num;
70	local_tx_pd->bss_type = priv->bss_type;
71	/* Always zero as the data is followed by struct txpd */
72	- local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd) +
73	- pad);
74	+ local_tx_pd->tx_pkt_offset = cpu_to_le16(sizeof(struct txpd));
75	local_tx_pd->tx_pkt_type = cpu_to_le16(PKT_TYPE_AMSDU);
76	local_tx_pd->tx_pkt_length = cpu_to_le16(skb->len -
77	- sizeof(*local_tx_pd) -
78	- pad);
79	+ sizeof(*local_tx_pd));
80
81	if (tx_info->flags & MWIFIEX_BUF_FLAG_TDLS_PKT)
82	local_tx_pd->flags \|= MWIFIEX_TXPD_FLAGS_TDLS_PACKET;
83	@@ -190,7 +181,11 @@ mwifiex_11n_aggregate_pkt(struct mwifiex
84	ra_list_flags);
85	return -1;
86	}
87	- skb_reserve(skb_aggr, MWIFIEX_MIN_DATA_HEADER_LEN);
88	+
89	+ /* skb_aggr->data already 64 byte align, just reserve bus interface
90	+ * header and txpd.
91	+ */
92	+ skb_reserve(skb_aggr, headroom + sizeof(struct txpd));
93	tx_info_aggr = MWIFIEX_SKB_TXCB(skb_aggr);
94
95	memset(tx_info_aggr, 0, sizeof(*tx_info_aggr));