From patchwork Fri Aug 16 19:39:40 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marc Kleine-Budde <mkl@pengutronix.de>
X-Patchwork-Id: 2845845
Return-Path: <linux-wireless-owner@kernel.org>
X-Original-To: patchwork-linux-wireless@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 2C96D9F239
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 16 Aug 2013 22:47:09 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 4F4AB20508
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 16 Aug 2013 22:47:08 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 08ABE20503
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Fri, 16 Aug 2013 22:47:07 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757741Ab3HPWrD (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Fri, 16 Aug 2013 18:47:03 -0400
Received: from metis.ext.pengutronix.de ([92.198.50.35]:33478 "EHLO
	metis.ext.pengutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1754725Ab3HPWrB (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Fri, 16 Aug 2013 18:47:01 -0400
Received: from gallifrey.ext.pengutronix.de
	([2001:6f8:1178:4:5054:ff:fe8d:eefb]
	helo=hardanger.do.blackshift.org)
	by metis.ext.pengutronix.de with esmtp (Exim 4.72)
	(envelope-from <mkl@pengutronix.de>)
	id 1VAPsB-00085F-5Y; Fri, 16 Aug 2013 21:39:47 +0200
From: Marc Kleine-Budde <mkl@pengutronix.de>
To: linux-wireless@vger.kernel.org
Cc: linux@rempel-privat.de, ath9k-devel@lists.ath9k.org,
	Helmut Schaa <helmut.schaa@googlemail.com>,
	Marc Kleine-Budde <mkl@blackshift.org>
Subject: [PATCH v2] ath9k_htc: Restore skb headroom when returning skb to
	mac80211
Date: Fri, 16 Aug 2013 21:39:40 +0200
Message-Id: <1376681980-27831-1-git-send-email-mkl@pengutronix.de>
X-Mailer: git-send-email 1.8.3.1
X-SA-Exim-Connect-IP: 2001:6f8:1178:4:5054:ff:fe8d:eefb
X-SA-Exim-Mail-From: mkl@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de);
	SAEximRunCond expanded to false
X-PTX-Original-Recipient: linux-wireless@vger.kernel.org
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Helmut Schaa <helmut.schaa@googlemail.com>

ath9k_htc adds padding between the 802.11 header and the payload during
TX by moving the header. When handing the frame back to mac80211 for TX
status handling the header is not moved back into its original position.
This can result in a too small skb headroom when entering ath9k_htc
again (due to a soft retransmission for example) causing an
skb_under_panic oops.

Fix this by moving the 802.11 header back into its original position
before returning the frame to mac80211 as other drivers like rt2x00
or ath5k do.

Reported-by: Marc Kleine-Budde <mkl@blackshift.org>
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Tested-by: Marc Kleine-Budde <mkl@blackshift.org>
Signed-off-by: Marc Kleine-Budde <mkl@blackshift.org>
---
Hello Helmut,

I've change the patch a bit, I've used ieee80211_get_hdrlen_from_skb() instead
of open coding it.

Tested in ARMv5 with USB device
  "ID 0cf3:7015 Atheros Communications, Inc. TP-Link TL-WN821N v3 802.11n [Atheros AR7010+AR9287]"
for four weeks. Without that patch the kernel oopes after about one week.

I think this is a candidate for stable, can you add stable to Cc?

regards,
Marc

changes since v1:
- use ieee80211_get_hdrlen_from_skb() instead of open coding it

 drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index e602c95..c028df7 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -448,6 +448,7 @@ static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv,
 	struct ieee80211_conf *cur_conf = &priv->hw->conf;
 	bool txok;
 	int slot;
+	int hdrlen, padsize;
 
 	slot = strip_drv_header(priv, skb);
 	if (slot < 0) {
@@ -504,6 +505,15 @@ send_mac80211:
 
 	ath9k_htc_tx_clear_slot(priv, slot);
 
+	/* Remove padding before handing frame back to mac80211 */
+	hdrlen = ieee80211_get_hdrlen_from_skb(skb);
+
+	padsize = hdrlen & 3;
+	if (padsize && skb->len > hdrlen + padsize) {
+		memmove(skb->data + padsize, skb->data, hdrlen);
+		skb_pull(skb, padsize);
+	}
+
 	/* Send status to mac80211 */
 	ieee80211_tx_status(priv->hw, skb);
 }