[stable] b43: Fix DMA TX bounce buffer copying

Message ID	200911151234.33621.mb@bu3sch.de (mailing list archive)
State	Not Applicable, archived
Headers	show Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id nAFBZF3n028697 for <patchwork-linux-wireless@patchwork.kernel.org>; Sun, 15 Nov 2009 11:35:15 GMT From: Michael Buesch <mb@bu3sch.de> To: stable@kernel.org Subject: [PATCH stable] b43: Fix DMA TX bounce buffer copying Date: Sun, 15 Nov 2009 12:34:31 +0100 User-Agent: KMail/1.9.9 Cc: bcm43xx-dev@lists.berlios.de, linux-wireless@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200911151234.33621.mb@bu3sch.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk

Message ID

200911151234.33621.mb@bu3sch.de (mailing list archive)

State

Not Applicable, archived

Headers

From: Michael Buesch <mb@bu3sch.de>
To: stable@kernel.org
Subject: [PATCH stable] b43: Fix DMA TX bounce buffer copying
Date: Sun, 15 Nov 2009 12:34:31 +0100
User-Agent: KMail/1.9.9
Cc: bcm43xx-dev@lists.berlios.de, linux-wireless@vger.kernel.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200911151234.33621.mb@bu3sch.de>
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk

Commit Message

Michael Buesch Nov. 15, 2009, 11:34 a.m. UTC

None

--- linux-2.6.31.orig/drivers/net/wireless/b43/dma.c
+++ linux-2.6.31/drivers/net/wireless/b43/dma.c
@@ -1158,8 +1158,9 @@  struct b43_dmaring *parse_cookie(struct 
 }
 
 static int dma_tx_fragment(struct b43_dmaring *ring,
-			   struct sk_buff *skb)
+			   struct sk_buff **in_skb)
 {
+	struct sk_buff *skb = *in_skb;
 	const struct b43_dma_ops *ops = ring->ops;
 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
 	u8 *header;
@@ -1225,8 +1226,14 @@  static int dma_tx_fragment(struct b43_dm
 		}
 
 		memcpy(skb_put(bounce_skb, skb->len), skb->data, skb->len);
+		memcpy(bounce_skb->cb, skb->cb, sizeof(skb->cb));
+		bounce_skb->dev = skb->dev;
+		skb_set_queue_mapping(bounce_skb, skb_get_queue_mapping(skb));
+		info = IEEE80211_SKB_CB(bounce_skb);
+
 		dev_kfree_skb_any(skb);
 		skb = bounce_skb;
+		*in_skb = bounce_skb;
 		meta->skb = skb;
 		meta->dmaaddr = map_descbuffer(ring, skb->data, skb->len, 1);
 		if (b43_dma_mapping_error(ring, meta->dmaaddr, skb->len, 1)) {
@@ -1359,7 +1366,11 @@  int b43_dma_tx(struct b43_wldev *dev, st
 	 * static, so we don't need to store it per frame. */
 	ring->queue_prio = skb_get_queue_mapping(skb);
 
-	err = dma_tx_fragment(ring, skb);
+	/* dma_tx_fragment might reallocate the skb, so invalidate pointers pointing
+	 * into the skb data or cb now. */
+	hdr = NULL;
+	info = NULL;
+	err = dma_tx_fragment(ring, &skb);
 	if (unlikely(err == -ENOKEY)) {
 		/* Drop this packet, as we don't have the encryption key
 		 * anymore and must not transmit it unencrypted. */

[stable] b43: Fix DMA TX bounce buffer copying

Commit Message

Patch