mwifiex: fix large amsdu packets causing firmware hang

Commit Message

Amitkumar Karwar July 21, 2016, 11 a.m. UTC

From: Cathy Luo <cluo@marvell.com>

Sometimes host prepares and downloads a large amsdu packet to firmware
which leads to a memory corruption in firmware.
The reason is __dev_alloc_skb() may allocate larger buffer than required
size. This patch solves the problem by checking "adapter->tx_buf_size"
instead of relying on skb_tailroom().

Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
---
 drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Kalle Valo July 21, 2016, 2:48 p.m. UTC | #1

Amitkumar Karwar <akarwar@marvell.com> writes:

> From: Cathy Luo <cluo@marvell.com>
>
> Sometimes host prepares and downloads a large amsdu packet to firmware
> which leads to a memory corruption in firmware.
> The reason is __dev_alloc_skb() may allocate larger buffer than required
> size. This patch solves the problem by checking "adapter->tx_buf_size"
> instead of relying on skb_tailroom().
>
> Signed-off-by: Cathy Luo <cluo@marvell.com>
> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>

Should this go to 4.8 as an important fix?

Amitkumar Karwar July 21, 2016, 2:55 p.m. UTC | #2

> From: linux-wireless-owner@vger.kernel.org [mailto:linux-wireless-
> owner@vger.kernel.org] On Behalf Of Kalle Valo
> Sent: Thursday, July 21, 2016 8:19 PM
> To: Amitkumar Karwar
> Cc: linux-wireless@vger.kernel.org; Cathy Luo; Nishant Sarmukadam
> Subject: Re: [PATCH] mwifiex: fix large amsdu packets causing firmware
> hang
> 
> Amitkumar Karwar <akarwar@marvell.com> writes:
> 
> > From: Cathy Luo <cluo@marvell.com>
> >
> > Sometimes host prepares and downloads a large amsdu packet to firmware
> > which leads to a memory corruption in firmware.
> > The reason is __dev_alloc_skb() may allocate larger buffer than
> > required size. This patch solves the problem by checking "adapter-
> >tx_buf_size"
> > instead of relying on skb_tailroom().
> >
> > Signed-off-by: Cathy Luo <cluo@marvell.com>
> > Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
> 
> Should this go to 4.8 as an important fix?
> 

Yes. Please.

Regards,
Amitkumar.
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Kalle Valo Aug. 18, 2016, 1:02 p.m. UTC | #3

Amitkumar Karwar <akarwar@marvell.com> wrote:
> From: Cathy Luo <cluo@marvell.com>
> 
> Sometimes host prepares and downloads a large amsdu packet to firmware
> which leads to a memory corruption in firmware.
> The reason is __dev_alloc_skb() may allocate larger buffer than required
> size. This patch solves the problem by checking "adapter->tx_buf_size"
> instead of relying on skb_tailroom().
> 
> Signed-off-by: Cathy Luo <cluo@marvell.com>
> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>

Thanks, 1 patch applied to wireless-drivers.git:

c81396f3da22 mwifiex: fix large amsdu packets causing firmware hang

Patch

diff --git a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
index dc49c3d..c47d636 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_aggr.c
@@ -205,7 +205,8 @@  mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv,
 
 	do {
 		/* Check if AMSDU can accommodate this MSDU */
-		if (skb_tailroom(skb_aggr) < (skb_src->len + LLC_SNAP_LEN))
+		if ((skb_aggr->len + skb_src->len + LLC_SNAP_LEN) >
+		    adapter->tx_buf_size)
 			break;
 
 		skb_src = skb_dequeue(&pra_list->skb_head);