From patchwork Wed Apr 3 10:40:28 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arend van Spriel X-Patchwork-Id: 2386221 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 85055DFB79 for ; Wed, 3 Apr 2013 10:41:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763494Ab3DCKl4 (ORCPT ); Wed, 3 Apr 2013 06:41:56 -0400 Received: from mms2.broadcom.com ([216.31.210.18]:4469 "EHLO mms2.broadcom.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1760465Ab3DCKlU (ORCPT ); Wed, 3 Apr 2013 06:41:20 -0400 Received: from [10.9.208.57] by mms2.broadcom.com with ESMTP (Broadcom SMTP Relay (Email Firewall v6.5)); Wed, 03 Apr 2013 03:36:48 -0700 X-Server-Uuid: 4500596E-606A-40F9-852D-14843D8201B2 Received: from IRVEXCHSMTP2.corp.ad.broadcom.com (10.9.207.52) by IRVEXCHCAS08.corp.ad.broadcom.com (10.9.208.57) with Microsoft SMTP Server (TLS) id 14.1.438.0; Wed, 3 Apr 2013 03:41:14 -0700 Received: from mail-sj1-12.sj.broadcom.com (10.10.10.20) by IRVEXCHSMTP2.corp.ad.broadcom.com (10.9.207.52) with Microsoft SMTP Server id 14.1.438.0; Wed, 3 Apr 2013 03:41:14 -0700 Received: from arend-ubuntu-x64 (unknown [10.176.68.23]) by mail-sj1-12.sj.broadcom.com (Postfix) with ESMTP id A17B8207C4; Wed, 3 Apr 2013 03:41:08 -0700 (PDT) Received: from arend by arend-ubuntu-x64 with local (Exim 4.80) ( envelope-from ) id 1UNL7r-00034B-Ei; Wed, 03 Apr 2013 12:41:07 +0200 From: "Arend van Spriel" To: "John W. Linville" cc: linux-wireless , "Arend van Spriel" Subject: [PATCH 03/25] brcmfmac: use skb_cow() in brcmf_sdbrcm_txpkt() to assure alignment Date: Wed, 3 Apr 2013 12:40:28 +0200 Message-ID: <1364985650-11719-4-git-send-email-arend@broadcom.com> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1364985650-11719-1-git-send-email-arend@broadcom.com> References: <1364985650-11719-1-git-send-email-arend@broadcom.com> MIME-Version: 1.0 X-WSS-ID: 7D42D9CA3A07337164-01-01 Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org In brcmf_sdbrcm_txpkt() a new packet is allocated and used to transmit to firmware freeing up the original packet. However, that packet is still referenced in firmware-signalling so this would result in a double free. Using skb_cow() avoids this as the packet reference is unchanged. Reviewed-by: Hante Meuleman Reviewed-by: Piotr Haber Reviewed-by: Pieter-Paul Giesberts Signed-off-by: Arend van Spriel --- drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c | 25 +++++--------------- 1 file changed, 6 insertions(+), 19 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c index 4fa19b9..f5f04ba 100644 --- a/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c +++ b/drivers/net/wireless/brcm80211/brcmfmac/dhd_sdio.c @@ -1781,7 +1781,6 @@ static int brcmf_sdbrcm_txpkt(struct brcmf_sdio *bus, struct sk_buff *pkt, u8 *frame; u16 len, pad = 0; u32 swheader; - struct sk_buff *new; int i; brcmf_dbg(TRACE, "Enter\n"); @@ -1795,26 +1794,14 @@ static int brcmf_sdbrcm_txpkt(struct brcmf_sdio *bus, struct sk_buff *pkt, brcmf_dbg(INFO, "insufficient headroom %d for %d pad\n", skb_headroom(pkt), pad); bus->sdiodev->bus_if->tx_realloc++; - new = brcmu_pkt_buf_get_skb(pkt->len + BRCMF_SDALIGN); - if (!new) { - brcmf_err("couldn't allocate new %d-byte packet\n", - pkt->len + BRCMF_SDALIGN); - ret = -ENOMEM; + ret = skb_cow(pkt, BRCMF_SDALIGN); + if (ret) goto done; - } - - pkt_align(new, pkt->len, BRCMF_SDALIGN); - memcpy(new->data, pkt->data, pkt->len); - brcmu_pkt_buf_free_skb(pkt); - pkt = new; - frame = (u8 *) (pkt->data); - /* precondition: (frame % BRCMF_SDALIGN) == 0) */ - pad = 0; - } else { - skb_push(pkt, pad); - frame = (u8 *) (pkt->data); - memset(frame + SDPCM_HDRLEN, 0, pad); + pad = ((unsigned long)frame % BRCMF_SDALIGN); } + skb_push(pkt, pad); + frame = (u8 *) (pkt->data); + memset(frame, 0, pad + SDPCM_HDRLEN); } /* precondition: pad < BRCMF_SDALIGN */